Full Report
Acer is working to address two maximum-severity zero-day vulnerabilities affecting its Wave 7 mesh routers. [...]
Analysis Summary
# Vulnerability: Critical Zero-Day Vulnerabilities in Acer Wave 7 Mesh Routers
## CVE Details
- **CVE ID:** CVE-2026-49200
- **CVSS Score:** 10.0 (Critical)
- **CWE:** CWE-284 (Improper Access Control)
- **CVE ID:** CVE-2026-49201
- **CVSS Score:** 10.0 (Critical)
- **CWE:** CWE-798 (Use of Hard-coded Credentials) / CWE-321 (Use of Hard-coded Cryptographic Key)
## Affected Systems
- **Products:** Acer Wave 7 Mesh Routers
- **Versions:** Firmware version T7c_GBL_1.01.000055 and earlier.
- **Configurations:** Devices with web interface access enabled; specifically those with remote management exposed to the WAN.
## Vulnerability Description
**CVE-2026-49200 (Broken Access Control):**
The router's firmware contains a log file (`acer_cgi.log`) that is accessible via the web interface without requiring any authentication. This log file stores login credentials for the web management console and Telnet services in plaintext. An unauthenticated attacker can navigate to the log file URL to harvest administrative credentials.
**CVE-2026-49201 (Hardcoded Cryptographic Key):**
The `upload.cgi` binary, which handles device backup files, utilizes a static, hardcoded AES encryption key. This allows an attacker to intercept or obtain a backup file, decrypt its contents, inject malicious code or backdoors, and re-encrypt it. When the modified backup is uploaded back to the device, the attacker gains persistent unauthorized access.
## Exploitation
- **Status:** Zero-day (Reported by researcher Gergo Pap; currently addressed by vendor).
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** Total (Plaintext credentials and system configurations exposed).
- **Integrity:** Total (Ability to inject persistent backdoors via backup manipulation).
- **Availability:** Total (Full administrative control allows for device bricking or service disruption).
## Remediation
### Patches
- **Status:** Pending. Acer plans to release firmware updates to resolve these issues by the **end of June 2026**. Users should check for updates via the router administration console under *System Management* > *Firmware Update*.
### Workarounds
- **Disable Remote Management:** Ensure the router's administration interface is not accessible from the public internet.
- **Access Control:** If remote access is required, restrict it to specific, trusted IP addresses only.
- **Credential Hygiene:** Once patches are applied, immediately change all administrative passwords, as they may have been logged in plaintext.
## Detection
- **Indicators of Compromise:** Unauthorized access attempts in logs, unexpected configuration changes, or the presence of unrecognized administrative accounts.
- **Detection Methods:** Monitor for unusual outbound traffic or unauthorized access to the `acer_cgi.log` path from external IP addresses.
## References
- Acer Security Advisory: hxxps[://]community[.]acer[.]com/en/kb/articles/19673
- CVE-2026-49200 NVD: hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2026-49200
- CVE-2026-49201 NVD: hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2026-49201