Cyber Resilience

CVE-2026-49199

CriticalRCEUpdated

Published: 29 May 2026

Published
29 May 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v4 10.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0134 67.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-49199 is a critical-severity Command Injection (CWE-77) vulnerability in Acer Predator Connect W6X Firmware. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 32.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

Crafted MQTT messages can trigger command injection, resulting in root-level code execution on the target device. The vulnerability is tracked as CVE-2026-49199 with a CVSS score of 10.0 and is associated with CWE-77. The reference URL points to an Acer community knowledge base article, indicating the affected component is an Acer device exposing an MQTT interface.

An unauthenticated attacker with network access can send specially crafted MQTT messages to the device. Successful exploitation grants full root-level code execution, allowing complete control over the target without any user interaction or credentials.

The EPSS score rose from a low starting value of 0.0022 to a peak of 0.0100, indicating emerging exploitation interest after disclosure. The referenced Acer advisory provides the primary source of mitigation details for affected devices.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Crafted MQTT messages can trigger command injection, resulting in root-level code execution on the target device.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Command injection via crafted MQTT messages directly enables remote exploitation of a network service (T1190) leading to root code execution (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-38707Shared CWE-77
CVE-2024-48841Shared CWE-77
CVE-2025-55227Shared CWE-77
CVE-2026-23778Shared CWE-77
CVE-2025-64424Shared CWE-77
CVE-2026-38703Shared CWE-77
CVE-2024-53945Shared CWE-77
CVE-2025-22939Shared CWE-77
CVE-2026-3519Shared CWE-77
CVE-2025-22941Shared CWE-77

Affected Assets

acer
predator connect w6x firmware
≤ w6x_gbl_2.00.000005

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of all MQTT message inputs to block the command-injection payload that leads to root code execution.

prevent

Enforces authentication and authorization on the exposed MQTT interface so that unauthenticated network attackers cannot reach the vulnerable command-processing code.

prevent

Boundary-protection mechanisms can restrict or filter traffic to the device’s MQTT port, reducing the attack surface that allows unauthenticated crafted messages.

References