CVE-2026-49199
Command Injection in MQTT Broker via Crafted Messages
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: 8fc372e3-d9c5-46e4-9410-38469745c639
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| acer | connect_w6x | 2.00.000008 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves crafted MQTT messages that can trigger command injection on the target device.
Successful exploitation results in root-level code execution, meaning an attacker can run arbitrary commands with the highest privileges on the device.
How can this vulnerability impact me? :
The impact of this vulnerability is severe because it allows an attacker to execute arbitrary code with root privileges on the affected device.
This can lead to complete compromise of the device, including unauthorized access, data theft, disruption of services, or using the device as a foothold for further attacks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows crafted MQTT messages to trigger command injection resulting in root-level code execution on the target device. Such a critical security flaw can lead to unauthorized access and control over the device, potentially compromising sensitive data and system integrity.
This level of vulnerability can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require robust security measures to protect personal and sensitive information from unauthorized access and breaches.
Failure to address this vulnerability could result in violations of these regulations due to potential data breaches or unauthorized system control, leading to legal and financial consequences.
Acer has released a firmware update that includes MQTT payload sanitization to prevent arbitrary code execution, which is critical to mitigating this vulnerability and maintaining compliance.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves crafted MQTT messages that trigger command injection leading to root-level code execution. Detection can focus on monitoring MQTT broker activity for unusual or unauthorized MQTT messages, especially those attempting wildcard topic subscriptions or suspicious payloads.
Specific commands are not provided in the available resources. However, general detection methods could include capturing MQTT traffic using tools like tcpdump or Wireshark to analyze MQTT messages on the network, and checking for connections or messages on the MQTT broker that include wildcard topic subscriptions or malformed payloads.
Additionally, monitoring TCP port 9000 for unauthorized access attempts to the debug service and inspecting the Web Admin Panel input fields for suspicious activity could help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Acer Connect W6x router firmware to version W6x_GBL_2.00.000008 or later, which includes fixes for this vulnerability among others.
Users should perform the firmware update via the router admin console and avoid restarting or unplugging the router during the update process to ensure a successful upgrade.
The update strengthens authentication on TCP port 9000, improves input validation in the Web Admin Panel, restricts wildcard topic subscriptions in the MQTT broker, and adds payload sanitization to prevent arbitrary code execution.