Acer working to patch max severity zero-days in Wave 7 routers
Acer patches two critical zero-days in Wave 7 mesh routers affecting firmware versions T7c_GBL_1.01.000055 and earlier.
Summary
Acer is addressing two maximum-severity zero-day vulnerabilities in its Wave 7 mesh routers. The first flaw (CVE-2026-49200) allows unauthenticated remote access to plaintext credentials via an accessible log file, while the second (CVE-2026-49201) exploits a hardcoded AES encryption key in the backup processing binary to enable persistent backdoor injection. Patches are scheduled for release by end of June 2026, with interim mitigation advised through disabling remote management.
Full text
Acer working to patch max severity zero-days in Wave 7 routers By Sergiu Gatlan June 3, 2026 07:35 AM 0 Acer confirmed that it's working to address two maximum-severity zero-day vulnerabilities affecting its Wave 7 mesh routers. According to a Friday security advisory, the two security flaws were reported by security researcher Gergo Pap and affect Wave 7 routers running firmware version T7c_GBL_1.01.000055 or earlier. The first zero-day, a broken access control vulnerability tracked as CVE-2026-49200, can allow unauthenticated attackers to remotely access plaintext credentials stored in log archives. "The acer_cgi.log file in the device firmware is accessible without authentication via the web interface. This file contains cleartext login credentials (for web and Telnet), leading to unauthorized system access," Acer explained. The second one (CVE-2026-49201) stems from a hardcoded cryptographic key that lets remote attackers without privileges gain persistent backdoor access to the router. "The upload.cgi binary, responsible for processing device backups, contains a hardcoded AES encryption key," the company added. "This allows an attacker to decrypt, modify, and re-encrypt system backups, facilitating persistent backdoor injection." While no security patches are available yet for these two flaws, Acer says it's working on fixes that should be released by the end of the month. "The vulnerabilities mentioned above are scheduled to be resolved in upcoming firmware updates. The target fix is planned for deployment by the end of June 2026," it said. The company also "strongly encouraged" all users to update their devices' firmware immediately after the security updates are issued by following the steps below: Connect your computer to your Acer Wave 7 router via Wi-Fi or an Ethernet cable. Open a web browser and navigate to the router administration console (http://192.168.76.1 or http://acerconnect.com). Log in using your administrator credentials. Navigate to System Management, then select Firmware Update. Select Check for Updates. To mitigate attack risks until a patch is available, Acer customers are advised to disable remote management or, if the firmware allows, restrict Internet remote access to trusted IP addresses only. The Validation Gap: Automated Pentesting Answers One Question. You Need Six. Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.This guide covers the 6 surfaces you actually need to validate. Download Now Related Articles: Google fixes one actively exploited Android zero-day, 124 flawsDisgruntled researcher leaks “BlueHammer” Windows zero-day exploitNew Windows 'MiniPlasma' zero-day exploit gives SYSTEM access, PoC releasedNew Gogs zero-day flaw lets hackers get remote code executionMax-severity flaw in ChromaDB for AI apps allows server hijacking
Indicators of Compromise
- cve — CVE-2026-49200
- cve — CVE-2026-49201