Listen to this Post
CVE ID: CVE-2026-49196
The Wi‑Fi device blocking feature in Acer Predator Connect W6x routers does not properly sanitize MAC address input. When an administrator enters a MAC address to block a device, the web interface passes the address directly into a system shell command without filtering or escaping dangerous characters such as ;, &, |, $, or backticks.
An authenticated attacker (with administrative access to the router’s web panel) can inject arbitrary commands by appending a semicolon followed by the desired payload in the MAC address field. For example, instead of entering AA:BB:CC:DD:EE:FF, the attacker supplies AA:BB:CC:DD:EE:FF; id. The backend then executes something like block_device AA:BB:CC:DD:EE:FF; id. Because the semicolon terminates the intended command, the `id` command runs immediately afterward with root privileges.
This flaw is classified as CWE‑77 (Command Injection) and has received a CVSS v4.0 base score of 8.6 (HIGH). The vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N, meaning the attack is network‑exploitable, requires low attack complexity, demands high privileges (authenticated admin), and can fully compromise confidentiality, integrity, and availability of the device.
The issue affects Acer Predator Connect W6x firmware versions up to W6x_GBL_2.00.000005. Acer released a fixed firmware version W6x_GBL_2.00.000008 that adds whitelist validation and shell metacharacter escaping to break the direct connection between user input and system commands. The vulnerability was discovered by rethesis and published by Acer on May 29, 2026.
No public exploit is available at the time of writing, but the attack is considered easy to execute once an attacker has authenticated credentials. The MITRE ATT&CK technique associated is T1202 (Indirect Command Execution).
DailyCVE Form:
Platform: Acer Predator Connect W6x
Version: ≤ W6x_GBL_2.00.000005
Vulnerability: CWE‑77 Command Injection
Severity: Critical
date: 2026‑05‑29
Prediction: 2026‑06‑15
Analytics under heading What Undercode Say:
Vulnerable MAC address injection point curl -X POST http://192.168.1.1/api/block_device \ -H "Cookie: session=ADMIN_SESSION" \ -d "mac=AA:BB:CC:DD:EE:FF; id > /tmp/out" Check if command executed curl http://192.168.1.1/tmp/out
How Exploit:
- Gain authenticated access to the router’s web interface (e.g., by stealing admin session or default credentials).
2. Navigate to the Wi‑Fi device blocking page.
- In the MAC address input field, enter a valid MAC followed by `;` and any shell command (e.g.,
AA:BB:CC:DD:EE:FF; cat /etc/passwd). - Submit the form. The command runs with root privileges.
Protection:
- Immediately update firmware to W6x_GBL_2.00.000008 or later.
- Restrict administrative access to trusted IP addresses and enforce strong, unique admin credentials.
- Monitor logs for suspicious MAC address entries containing shell metacharacters.
Impact:
- Full remote code execution (RCE) as root on the router.
- Complete device compromise: attacker can modify firewall rules, intercept traffic, install persistent backdoors, or use the router as a pivot for internal network attacks.
- Unauthorized exfiltration of sensitive configuration and credentials stored on the device.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
