External risk intelligence

Acer Predator Connect W6x Firmware Command Injection

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2026-49199

A critical vulnerability in network-connected devices allows for root-level command injection through crafted network messages. This could enable unauthorized code execution and complete device compromise if reachable over a network. Understanding the reachability and criticality of affected devices is essential.

4Halo Surface Signal

Command Injection

Acer Predator Connect W6x Firmware

w6x_gbl_2.00.000005 and earlier

External exposure likelihood

Halo Surface Signal score for CVE-2026-49199

This vulnerability affects consumer routers, which serve as edge gateways between internal networks and the internet. Because these devices are frequently internet-facing and reside at the network boundary, the reachable attack vector poses a high risk for residential and small-office environments.

PCI scan relevance

PCI Relevance for CVE-2026-49199

Yes

CVE-2026-49199 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

A critical vulnerability in Acer Predator Connect W6x firmware allows unauthenticated network attackers to execute arbitrary code with root privileges. This is due to command injection via crafted MQTT messages, impacting the confidentiality, integrity, and availability of the sy

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability exists that allows unauthorized execution of commands at the highest privilege level on affected devices via specially crafted network messages. This could enable attackers to gain complete control over the targeted systems.

  • Malicious messages can allow remote code execution.
  • It impacts devices that connect your network to the internet.
  • Confirm relevance and assess potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker can send specially crafted messages over the MQTT protocol to a vulnerable device. This can lead to command injection, allowing the attacker to execute commands with the highest level of privilege on the device.

  • Unauthenticated network access required.
  • Specially crafted MQTT messages trigger vulnerability.
  • Root-level code execution risk.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to execute arbitrary commands with root privileges on affected devices by sending specially crafted MQTT messages. This could occur when the device is accessible over a network and its MQTT service is exposed.

  • Root-level access to the device.
  • Network access can trigger command injection.
  • Complete device compromise.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability, allowing root-level code execution via crafted MQTT messages, likely impacts consumer routers acting as network edge devices. Owners of Acer Predator Connect W6x routers should first identify all deployed devices, determine their exposure and business criticality, and locate the accountable asset owner. Subsequently, a remediation plan should be developed based on the assessed risk, potentially involving coordination with Acer for firmware updates.

  • Asset owners should prioritize identification and inventory.
  • Verify internet-facing accessibility and business criticality.
  • Plan remediation, possibly coordinating with vendor support.

Frequently asked questions

What is Acer Predator Connect W6x firmware?

Acer Predator Connect W6x firmware is the software that runs on Acer's Predator Connect W6x router, a device used to connect a home or office network to the internet. This router manages network traffic and provides Wi-Fi connectivity for other devices.

What is command injection in CVE-2026-49199?

CVE-2026-49199 is a command injection vulnerability. This means an attacker can trick the affected software into running their own commands, rather than the commands it was designed to run. In this case, it allows root-level code execution, giving the attacker complete control.

How can an attacker exploit CVE-2026-49199?

An attacker can exploit this vulnerability by sending specially crafted messages over the MQTT network protocol to the vulnerable device. This exploit does not require any authentication from the attacker and can be triggered remotely.

Who should care about this vulnerability?

Anyone using an Acer Predator Connect W6x router should be concerned. Because these routers often face the internet, they can be a gateway for attackers to compromise your network, making this a relevant threat for home and small office users.

What is the first step for managing this threat?

If you are running this technology, the first step is to identify all deployed Acer Predator Connect W6x devices within your network. You should then determine if these devices are accessible from the internet and assess their importance to your operations.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified