CRITICAL🇵🇱 Wersja polska

CVE-2026-49185

CVSS 10.0v4.0pub. 2026-06-04

The FieldX MDM adb messaging topic passes unverified payloads directly into Runtime.exec(), allowing command/instruction injection.

🤖 AI Analysis
How it works

The FieldX MDM adb messaging topic passes unverified payloads directly to the Runtime.exec() function. Lack of input validation and data sanitization enables an attacker to embed arbitrary system commands in the payload, which will be executed by the process with application privileges. The attack can be conducted remotely, without authentication and without any interaction from the device user.

Impact

An attacker can remotely execute arbitrary system commands on the device (RCE), potentially leading to complete device takeover and compromise of confidentiality, integrity, and availability of both the device itself and connected systems.

Mitigation & patch

Apply patches available from the manufacturer in accordance with references (https://community.acer.com/en/kb/articles/19707)

Who is affected

Acer Connect M6E 5G and Acer Connect M6E 5G Firmware software — specific versions indicated in manufacturer references

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Acer Connect M6e 5g

    HW
    Acer
    wszystkie wersje
  • Acer Connect M6e 5g Firmware

    OS
    Acer
    ≤ m6e_ai_1.00.000019
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Command Injection
CWE
References

Related vulnerabilities

CVE-2026-49194CRITICAL9.4PL ✓ten sam produkt

Acer Connect M6E 5G — pominięcie uwierzytelnienia przez procedurę debugowania

CVE-2026-50208CRITICAL9.2PL ✓ten sam produkt

Acer Connect M6E 5G: wyłączona walidacja TLS i zakodowane klucze DES umożliwiają MITM

CVE-2026-49191CRITICAL9.3PL ✓ten sam produkt

Acer Connect M6E 5G — hardkodowane klucze API w M3WebServer (Auth Bypass)

CVE-2026-49190CRITICAL9.4PL ✓ten sam produkt

Command injection w Acer Connect M6E 5G — nieautoryzowane wykonanie poleceń

CVE-2026-50209CRITICAL9.3PL ✓ten sam produkt

Acer Connect M6E 5G – przejęcie kontroli MDM przez broadcast event