CVE-2026-49199
Published: 29 May 2026
Summary
CVE-2026-49199 is a critical-severity Command Injection (CWE-77) vulnerability in Acer Predator Connect W6X Firmware. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 32.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
Crafted MQTT messages can trigger command injection, resulting in root-level code execution on the target device. The vulnerability is tracked as CVE-2026-49199 with a CVSS score of 10.0 and is associated with CWE-77. The reference URL points to an Acer community knowledge base article, indicating the affected component is an Acer device exposing an MQTT interface.
An unauthenticated attacker with network access can send specially crafted MQTT messages to the device. Successful exploitation grants full root-level code execution, allowing complete control over the target without any user interaction or credentials.
The EPSS score rose from a low starting value of 0.0022 to a peak of 0.0100, indicating emerging exploitation interest after disclosure. The referenced Acer advisory provides the primary source of mitigation details for affected devices.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-33269
Vulnerability details
Crafted MQTT messages can trigger command injection, resulting in root-level code execution on the target device.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection via crafted MQTT messages directly enables remote exploitation of a network service (T1190) leading to root code execution (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of all MQTT message inputs to block the command-injection payload that leads to root code execution.
Enforces authentication and authorization on the exposed MQTT interface so that unauthenticated network attackers cannot reach the vulnerable command-processing code.
Boundary-protection mechanisms can restrict or filter traffic to the device’s MQTT port, reducing the attack surface that allows unauthenticated crafted messages.