The /v1/Plan service relies entirely on a shared global API token for full administrative management, allowing arbitrary creation of zero-cost network access plans.

CVE-2026-50224 medium · 4.9

The web administration panel binds broadly to the public IPv6 address space on port [::]:8080 without default firewall limits, making internal API endpoints reachable over the WAN.

CVE-2026-50225 critical · 9.1

The registration path /v1/account/register provides no bot mitigation mechanisms, allowing malicious automated systems to flood the database.

CVE-2026-50226 medium · 5.3

Fixed AES-128-CBC keys inside the AcerConnect OTA application let attackers forge authorization credentials for arbitrary IMEI numbers. This allows unauthorized actors to list cata

CVE-2026-49201 critical · 9.8

The upload.cgi binary, responsible for processing device backups, contains a hardcoded AES encryption key. This allows an attacker to decrypt, modify, and re-encrypt system backups

CVE-2026-49198 medium · 4.9

Improper access control in the MQTT broker allows wildcard topic subscriptions, exposing all MQTT traffic to unauthorized actors.

CVE-2026-49200 critical · 9.8

The acer_cgi.log file in the device firmware is accessible without authentication via the web interface. This file contains cleartext login credentials (for web and Telnet), leadin