Auth bypass in Acer Predator Connect W6x

CVE-2026-49195

Unauthenticated Debug Service. The /sbin/mtk_dut binary is exposed on TCP port 9000 without authentication, allowing any LAN-based attacker to execute arbitrary UCC commands.

Vulnerability class: Broken Authentication

EPSS: 0.000 (6.7th percentile) — read the EPSS interpretation.

Affected products

Acer Predator Connect W6x — versions W6x_GBL_2.00.000005

Weakness classification (CWE)

CWE-306 — Missing Authentication for Critical Function

References

8fc372e3-d9c5-46e4-9410-38469745c639