CVE-2026-49186 in Connect M6E 5G Portable WiFi Router
Summary
by MITRE • 06/04/2026
The local MQTT broker does not enforce topic-level Access Control Lists (ACLs). This allows any client to subscribe using wildcard characters (# or +) to enumerate hidden network devices or publish rogue control commands.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/04/2026
This vulnerability represents a critical access control flaw in MQTT broker implementations that fundamentally undermines the security of IoT and industrial communication networks. The absence of proper topic-level access control lists creates an environment where any authenticated or even unauthenticated client can exploit wildcard subscriptions to discover sensitive network topology information and potentially execute malicious control commands. The impact extends beyond simple information disclosure as it enables privilege escalation through unauthorized access to device management interfaces and operational control functions.
The technical flaw manifests in the broker's failure to validate subscription requests against configured access policies, particularly when wildcard characters are employed. The hash symbol # represents a multi-level wildcard that can match any number of topic levels, while the plus sign + acts as a single-level wildcard. When combined with proper authentication mechanisms, these wildcards should be restricted to prevent unauthorized enumeration of the entire topic hierarchy. However, in vulnerable implementations, clients can subscribe to patterns like # or +/+/+/+ to systematically discover all available topics and their associated device identifiers, effectively bypassing any intended security boundaries.
This vulnerability directly maps to CWE-284 Access Control Issues and aligns with ATT&CK technique T1071.001 Application Layer Protocol: Web Protocols, where adversaries exploit weak access controls to gain unauthorized access to network resources. The operational impact is severe as attackers can enumerate all connected devices, identify their operational status, and potentially inject malicious commands that could disrupt industrial processes, compromise safety systems, or gain unauthorized control over critical infrastructure components. In industrial environments, this could lead to production halts, safety violations, or even physical damage to equipment.
The mitigation strategy requires implementing robust topic-level access control policies that restrict wildcard usage and enforce strict authorization rules for all subscription and publication operations. Brokers should validate each subscription request against configured ACLs and deny wildcard subscriptions that would provide excessive information disclosure. Additionally, implementing proper logging and monitoring of subscription activities enables detection of suspicious enumeration patterns. Security controls should also include limiting the number of concurrent subscriptions per client and implementing rate limiting to prevent automated enumeration attacks. Organizations should conduct regular security assessments of their MQTT implementations and ensure that access control policies align with the principle of least privilege, restricting client access to only the topics necessary for their specific operational functions.