Two maximum-severity zero-day vulnerabilities affect Acer Wave 7 mesh routers: CVE-2026-49200 allows unauthenticated remote credential theft via an exposed log file, and CVE-2026-49201 enables persistent backdoor access via a hardcoded AES key in the backup utility. The vulnerabilities affect firmware version T7c_GBL_1.01.000055 or earlier, and while no patches are currently available, Acer plans to release fixes by the end of June 2026. Until patches are deployed, users should disable remote management or restrict remote access to trusted IP addresses.
Acer working to patch max severity zero-days in Wave 7 routers By Sergiu Gatlan June 3, 2026 07:35 AM 0 Acer confirmed that it's working to address two maximum-severity zero-day vulnerabilities affecting its Wave 7 mesh routers. According to a Friday security advisory , the two security flaws were reported by security researcher Gergo Pap and affect Wave 7 routers running firmware version T7c_GBL_1.01.000055 or earlier. The first zero-day, a broken access control vulnerability tracked as CVE-2026-49200 , can allow unauthenticated attackers to remotely access plaintext credentials stored in log archives. "The acer_cgi.log file in the device firmware is accessible without authentication via the web interface. This file contains cleartext login credentials (for web and Telnet), leading to unauthorized system access," Acer explained. The second one ( CVE-2026-49201 ) stems from a hardcoded cryptographic key that lets remote attackers without privileges gain persistent backdoor access to the router. "The upload.cgi binary, responsible for processing device backups, contains a hardcoded AES encryption key," the company added. "This allows an attacker to decrypt, modify, and re-encrypt system backups, facilitating persistent backdoor injection." While no security patches are available yet for these two flaws, Acer says it's working on fixes that should be released by the end of the month. "The vulnerabilities mentioned above are scheduled to be resolved in upcoming firmware updates. The target fix is planned for deployment by the end of June 2026," it said. The company also "strongly encouraged" all users to update their devices' firmware immediately after the security updates are issued by following the steps below: Connect your computer to your Acer Wave 7 router via Wi-Fi or an Ethernet cable. Open a web browser and navigate to the router administration console (http://192.168.76.1 or http://acerconnect.com). Log in using your administrator credentials. Navigate to System Management , then select Firmware Update . Select Check for Updates. To mitigate attack risks until a patch is available, Acer customers are advised to disable remote management or, if the firmware allows, restrict Internet remote access to trusted IP addresses only. The Validation Gap: Automated Pentesting Answers One Question. You Need Six. Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold. This guide covers the 6 surfaces you actually need to validate. Download Now Related Articles: Google fixes one actively exploited Android zero-day, 124 flaws Disgruntled researcher leaks “BlueHammer” Windows zero-day exploit New Windows 'MiniPlasma' zero-day exploit gives SYSTEM access, PoC released New Gogs zero-day flaw lets hackers get remote code execution Max-severity flaw in ChromaDB for AI apps allows server hijacking