Critical

Command Injection in Acer Connect W6x MQTT Broker Processing

IdentifiersCVE-2026-49199CWE-77· Improper Neutralization of Special…

CVE-2026-49199 is a command injection vulnerability in the MQTT broker processing logic of Acer Connect W6x consumer wireless devices. According to the provided content, crafted MQTT messages are insufficiently sanitized before being processed, allowing an attacker to inject commands or trigger execution of dangerous system scripts. Acer’s fix added application-level payload sanitization to the MQTT broker processing path, indicating the flaw is caused by improper neutralization of special elements in incoming MQTT message data. Successful exploitation results in arbitrary code execution as root on the target device.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows remote, unauthenticated attackers to achieve root-level arbitrary code execution on the affected device. This implies full compromise of the device, including the ability to run system scripts, alter configuration, access or manipulate data handled by the device, establish persistence, and disrupt device availability or network services. The provided CVSS information indicates high impact to confidentiality, integrity, and availability.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure of the MQTT service to untrusted networks and restrict which hosts can send MQTT traffic to the device. Segment affected devices from attacker-controlled or guest networks, apply network ACLs/firewall rules to limit access to the broker interface, and monitor for malformed or unexpected MQTT messages targeting the device. These are compensating controls only; vendor firmware update is the primary mitigation.

Remediation

Patch, then assume compromise.

Update affected Acer Connect W6x devices to firmware version W6x_GBL_2.00.000008 or later. Acer states the update can be applied through the device management console at 192.168.76.1 via the system update tab. The vendor patch adds application-level payload sanitization to the MQTT broker processing logic to safely filter incoming messaging strings and mitigate arbitrary code execution.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

AcerPredator Connect W6X Firmwareoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

security online infoNews

Jun 4, 2026

Acer Router Flaw: Critical Authentication Bypass

A critical command injection vulnerability in the MQTT broker processing logic of Acer Connect W6x devices that can lead to arbitrary code execution.

cvefeed high severityNews

May 29, 2026

CVE-2026-49199 - Predator Connect W6x: RCE via MQTT

A command injection vulnerability reachable via crafted MQTT messages that can lead to root-level code execution on the target device.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity2

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-49199

NVD

nvd.nist.gov/vuln/detail/CVE-2026-49199

MITRE CWE · CWE-77

Improper Neutralization of Special Elements…

Vendor Advisory

community.acer.com/en/kb/articles/19672