Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: routers (1 article)Clear

Acer Wave 7 mesh routers: max-severity zero-days CVE-2026-49200/49201 expose plaintext credentials and hardcoded AES backdoor key, patch end of June

Acer is working to patch two maximum-severity zero-days in its Wave 7 mesh routers running firmware T7c_GBL_1.01.000055 or earlier, reported by researcher Gergo Pap. CVE-2026-49200 is a broken-access-control flaw: the acer_cgi.log file is reachable without authentication via the web interface and contains cleartext web and Telnet login credentials, leading to unauthorized system access. CVE-2026-49201 stems from a hardcoded AES key in the upload.cgi backup-processing binary, letting unauthenticated remote attackers decrypt, modify, and re-encrypt system backups to inject a persistent backdoor. No patches are available yet; Acer targets fixes by the end of June 2026 and urges users to update immediately once released.

Check
Inventory Acer Wave 7 mesh routers and confirm firmware version. Restrict web-interface and Telnet access to trusted networks. Watch for Acer's end-of-June firmware and apply immediately on release.
Affected
Acer Wave 7 routers on firmware T7c_GBL_1.01.000055 or earlier. CVE-2026-49200 exposes cleartext credentials in an unauthenticated log file; CVE-2026-49201's hardcoded AES key enables backdoored backups.
Fix
No patch yet (targeted end of June 2026). Disable remote/WAN management, restrict admin access to wired LAN, and rotate router and Telnet credentials. Apply Acer firmware the moment it ships.