CVE-2026-49194— SCREEN_CLICK Authentication Bypass
Possible ATT&CK Techniques 1AI
T1190 · Exploit Public-Facing ApplicationAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Acer | Connect M6E 5G Portable WiFi Router | *≤ M6E_AI_1.00.000019 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-49194
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
SCREEN_CLICK Authentication Bypass
Source: NVD (National Vulnerability Database)
Vulnerability Description
The debugging routine SCREEN_CLICK(5053) enables a connection to skip the standard device login prompt entirely and directly enter an interactive shell interface.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
认证机制不恰当
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Acer | Connect M6E 5G Portable WiFi Router | * ~ M6E_AI_1.00.000019 | - |
II. Public POCs for CVE-2026-49194
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-49194
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-49194 (1)
Same Patch Batch · Acer · 2026-06-04 · 26 CVEs total
| CVE-2026-50224 | Unauthenticated IPv6 WAN Management Exposure | |
| CVE-2026-50206 | VPN Command Injection Vulnerability | |
| CVE-2026-50205 | Plaintext Log Credential Leakage | |
| CVE-2026-50207 | Local Modem Manipulation via Binder Interfaces | |
| CVE-2026-50226 | Firmware Theft & IMEI Spoofing via Connect-OTA | |
| CVE-2026-50225 | Account Creation Exhaustion | |
| CVE-2026-50212 | Arbitrary Remote Device Unbinding | |
| CVE-2026-50211 | Exposed Factory Testing App Boundaries | |
| CVE-2026-50209 | MDM Server Registration Overriding | |
| CVE-2026-50210 | Weak Static Cryptographic Initialization Vectors | |
| CVE-2026-50213 | Bulk User Private Data Harvesting | |
| CVE-2026-50208 | Permissive TrustAllCerts TLS Verification | |
| CVE-2026-50214 | Shared Secret Quota Inflation | |
| CVE-2026-49204 | Hard-coded AWS Cognito Testing Accounts | |
| CVE-2026-49186 | Lack of MQTT Broker Topic Access Control Lists | |
| CVE-2026-49191 | Exposed Hard-coded M3WebServer Backend API Key | |
| CVE-2026-49189 | Broadcast Receiver Privilege Escalation | |
| CVE-2026-49190 | Missing Per-Instruction Authorization Checks | |
| CVE-2026-49192 | Summary Service Insecure Direct Object Reference | |
| CVE-2026-49202 | Unverified Meeting Recording Endpoints & Permissive CORS |
Showing top 20 of 26 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same weakness: CWE-287
- CVE-2026-12183
BUK TS-G系统2.9.1-2.10.2认证漏洞 - CVE-2026-50623
Apache CXF: Authentication Bypass in OAuth2 TokenIntrospecti - CVE-2026-48611
OAuth实现未正确验证身份导致默认安装账户劫持 - CVE-2026-40995
X.509 authentication bypasses Spring Security account checks - CVE-2026-46705
russh server userauth state is not reset when authentication
V. Comments for CVE-2026-49194
No comments yet