Listen to this Post
The core issue lies in how the `/v1/Plan` API endpoint on affected Acer routers verifies a user’s identity. Instead of implementing a robust, per-user or per-session authentication mechanism, the service relies solely on a single, shared global API token to authorize all administrative actions. This token functions as a master key; anyone who possesses it is granted full administrative privileges over the device’s network access plan management features. The vulnerability exists because the system fails to perform any additional verification, such as checking the source of the request, binding the token to a specific session, or validating the user’s role or scope of access. Consequently, an attacker who successfully obtains or correctly guesses this shared global secret can make arbitrary API calls to the `/v1/Plan` endpoint. The most direct impact is the ability to create new network access plans with a zero cost. In the context of a portable 5G router, this could allow an attacker to provision new data plans or service tiers for themselves at no charge, effectively bypassing the provider’s billing and quota enforcement systems. The attack vector is entirely remote, as the API is exposed over the network, and requires no user interaction from a legitimate administrator. The flaw is categorized under CWE-345: Insufficient Verification of Data Authenticity. The discoverer of this issue is credited to security researcher Ta-Lun Yen. The vulnerable software versions are all releases of the Acer Connect M6E 5G Portable WiFi Router firmware up to and including version M6E_AI_1.00.000019. Acer has published a security advisory and released a firmware update to address the vulnerability by implementing proper per-request authentication for administrative API calls.
DailyCVE Form:
Platform: Acer Connect M6E
Version: up to M6E_AI_1.00.000019
Vulnerability : Auth Bypass (CWE-345)
Severity: Critical (CVSS 9.3)
date: 2026-06-04
Prediction: June 11, 2026
What Undercode Say:
Simulate an API request to create a zero-cost plan
using the shared global API token
curl -X POST http://target-router-ip/v1/Plan \
-H "Authorization: Bearer LEAKED_SHARED_GLOBAL_TOKEN" \
-H "Content-Type: application/json" \
-d '{"plan_name":"Exploit_Plan","cost":0,"data_limit":"100GB"}'
If successful, the response will likely be a 200 OK with the plan details
How Exploit:
- Identify an Acer Connect M6E router on the network.
- Obtain the shared global API token for the `/v1/Plan` service. This could be achieved by sniffing unencrypted traffic, extracting it from a compromised device or mobile app, or guessing if the token uses a weak pattern.
- Craft a POST request to the `/v1/Plan` endpoint.
- Include the stolen or guessed token in the request header for authorization.
- Set the `cost` parameter to zero in the JSON payload to provision a free network plan.
- Send the request. The vulnerable service will accept it as valid administrative action.
Protection:
- Immediate Patching: Update the router firmware to the latest version provided by Acer, which replaces the shared global token with a robust authentication framework.
- Network Segmentation: Isolate IoT devices like routers on a dedicated VLAN to limit the exposure of their administrative APIs to the broader network.
- Monitor API Traffic: Implement monitoring for the `/v1/Plan` endpoint to detect anomalous plan creation requests, especially those with zero cost.
Impact:
Successful exploitation grants an unauthenticated, remote attacker the ability to bypass all administrative access controls. This allows for the arbitrary creation of zero-cost network access plans, leading to direct financial loss for the service provider and enabling unlimited, unmonitored data usage for the attacker.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
