Acer is addressing two critical zero-day vulnerabilities in its Wave 7 mesh routers: CVE-2026-49200 allows unauthenticated attackers to retrieve plaintext credentials from log archives, while CVE-2026-49201 involves a hardcoded cryptographic key enabling persistent backdoor access via backup decryption. These flaws affect firmware version T7c_GBL_1.01.000055 and earlier. Acer plans to release firmware patches by the end of June 2026; until then, users should disable remote management or restrict access to trusted IPs.
Vulnerability Management Acer addresses critical zero-day vulnerabilities in Wave 7 routers June 3, 2026 Share By SC Staff (Adobe Stock) As reported by Bleeping Computer, Acer has confirmed it is actively working to resolve two critical zero-day vulnerabilities impacting its Wave 7 mesh routers. These security flaws, reported by researcher Gergo Pap, affect firmware version T7c_GBL_1.01.000055 and earlier. The first vulnerability, CVE-2026-49200, is a broken access control flaw that allows unauthenticated attackers to access plaintext credentials from log archives, potentially leading to unauthorized system access. The second, CVE-2026-49201, involves a hardcoded cryptographic key, enabling remote attackers to gain persistent backdoor access by decrypting and re-encrypting system backups. Acer plans to release firmware updates to address these issues by the end of June 2026. Until then, users are advised to disable remote management or restrict access to trusted IP addresses. The company strongly encourages users to update their firmware immediately once the patches become available. Source: Bleeping Computer SC Staff Related Vulnerability Management CISA adds Android and Linux kernel flaws to exploited vulnerabilities catalog SC Staff June 3, 2026 The vulnerabilities added are CVE-2022-0492, a Linux kernel improper authentication flaw with a CVSS score of 7.0, and CVE-2025-48595, an Android framework integer overflow vulnerability with a CVSS score of 8.4. Vulnerability Management Most organizations that miss 24-hour patch window report breaches Steve Zurier June 2, 2026 Study points out that AI has shattered the model of patching on a two- to four-week schedule. Vulnerability Management Google releases June Android security patches addressing 124 vulnerabilities, including 1 zero-day SC Staff June 2, 2026 The actively exploited vulnerability, identified as CVE-2025-48595, is a high-severity flaw in the Android Framework that allows local attackers to gain code execution and escalate privileges on devices running Android 14 or later. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Bug Buffer Overflow Disassembly You can skip this ad in 5 seconds