A critical security vulnerability in the Acer Connect M6E 5G router allows for the unauthorized retrieval of hard-coded API keys, potentially compromising backend services.

This vulnerability involves the use of hard-coded credentials within the M3WebServer component. These sensitive keys can be intercepted by unauthenticated attackers through verbose error handling pages generated by the web server.

The exposure of backend API keys grants attackers the ability to impersonate the device or access protected cloud services associated with the router. Given the CVSS score of 9.8, this vulnerability poses a severe risk to the confidentiality and integrity of the device's management ecosystem and associated infrastructure.

Immediate Action: Update the device firmware to the latest available version as specified in the Acer security advisory.

Proactive Monitoring: Monitor device access logs for unusual requests or repeated errors directed toward the web management interface.

Compensating Controls: Restrict access to the router's web management interface to trusted administrative IPs only, preventing external exposure of error pages.

Public Exploit Available: False

This vulnerability represents a significant security failure due to the exposure of sensitive credentials. Organizations using the Acer Connect M6E 5G must prioritize firmware updates to remediate the hard-coded key issue and secure the web server environment.