CVE-2026-49185
Analyzed Analyzed - Analysis Complete
Command Injection in FieldX MDM via adb Messaging

Publication date: 2026-06-04

Last updated on: 2026-06-04

Assigner: 8fc372e3-d9c5-46e4-9410-38469745c639

Description
The FieldX MDM adb messaging topic passes unverified payloads directly into Runtime.exec(), allowing command/instruction injection.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-04
Generated
2026-06-14
AI Q&A
2026-06-04
EPSS Evaluated
2026-06-12
NVD
CVE-2026-49185
EUVD
EUVD-2026-34199
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
acer connect_m6e_5g_firmware to m6e_ai_1.00.000019 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in the FieldX MDM adb messaging topic allows unverified payloads to be passed directly into Runtime.exec(), which enables command or instruction injection.

This means that an attacker can send malicious commands through the messaging system that the device executes without proper validation, potentially leading to unauthorized control over the device.

Impact Analysis

Exploitation of this vulnerability can allow attackers to execute arbitrary commands with root privileges on the affected device.

  • Attackers could manipulate device configurations.
  • They could intercept communications.
  • They might escalate privileges.
  • They could harvest sensitive user data.

Overall, this can lead to complete compromise of the device and exposure of sensitive information.

Mitigation Strategies

Acer recommends users to secure their devices with strong administrative passwords and restrict IPv6 traffic where possible.

Users should apply the forthcoming firmware patches via the device management interface as soon as they are released.

Compliance Impact

The vulnerability allows attackers to execute arbitrary commands with root privileges, manipulate device configurations, intercept communications, escalate privileges, or harvest user data.

Such unauthorized access and potential data exposure could lead to non-compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding sensitive data and ensuring secure system operations.

Therefore, until patched, this vulnerability poses a significant risk to compliance by potentially exposing sensitive user data and compromising device security controls.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49185. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart