Back

Acer Addresses Critical Zero-Day Vulnerabilities in Wave 7 Routers

Severity: High (Score: 72.0)

Sources: Cybersecuritynews, Scworld, Bleepingcomputer, community.acer.com

Published: 2026-06-04 · Updated: 2026-06-04

Keywords: acer, zero-day, vulnerabilities, wave, routers, working, security

Severity indicators: zero-day, critical, vulnerabilities

Summary

Acer is working to patch two critical zero-day vulnerabilities affecting its Wave 7 mesh routers. The vulnerabilities, reported by researcher Gergo Pap, impact firmware version T7c_GBL_1.01.000055 and earlier. CVE-2026-49200 allows unauthenticated attackers to access plaintext credentials stored in log archives, while CVE-2026-49201 involves a hardcoded cryptographic key that enables persistent backdoor access. Acer plans to release firmware updates to address these issues by the end of June 2026. Until patches are available, users are advised to disable remote management or restrict access to trusted IP addresses. The vulnerabilities pose a significant risk due to their potential for remote exploitation without authentication. Key Points: • Two critical zero-day vulnerabilities (CVE-2026-49200 and CVE-2026-49201) affect Acer's Wave 7 routers. • The vulnerabilities allow unauthorized access to plaintext credentials and persistent backdoor access. • Acer plans to release patches by the end of June 2026; users should restrict remote access in the meantime.

Detailed Analysis

**Impact** Users of Acer Wave 7 mesh routers running firmware version T7c_GBL_1.01.000055 or earlier are affected. The vulnerabilities allow unauthorized remote access to plaintext credentials and persistent backdoor access, risking unauthorized system control and data compromise. No specific numbers, sectors, or geographic regions were provided in the sources. **Technical Details** Two zero-day vulnerabilities are exploited: CVE-2026-49200, a broken access control flaw exposing plaintext credentials in the acer_cgi.log file accessible without authentication; and CVE-2026-49201, involving a hardcoded AES cryptographic key in the upload.cgi binary that enables decryption, modification, and re-encryption of system backups for persistent backdoor access. Attackers operate remotely without privileges, targeting the device’s web interface and backup processing components. No malware or IOCs were detailed. **Recommended Response** Users should disable remote management or restrict remote access to trusted IP addresses until patches are released. Acer plans firmware updates by the end of June 2026, which must be applied immediately upon availability. Monitoring for unauthorized access attempts and unusual backup file modifications is advised. No additional detection rules or indicators were provided.

Source articles (4)

  • Acer working to patch max severity zero — Bleepingcomputer · 2026-06-03
    Acer confirmed that it's working to address two maximum-severity zero-day vulnerabilities affecting its Wave 7 mesh routers. According to a Friday security advisory , the two security flaws were repor…
  • Acer addresses critical zero-day vulnerabilities in Wave 7 routers | brief — Scworld · 2026-06-04
    As reported by Bleeping Computer, Acer has confirmed it is actively working to resolve two critical zero-day vulnerabilities impacting its Wave 7 mesh routers. These security flaws, reported by resear…
  • Acer Working to Patch Wave 7 Router 0 — Cybersecuritynews · 2026-06-04
    Acer is preparing a firmware update to address a critical zero-day vulnerability affecting its Wave 7 routers, following disclosure by independent security researcher Gergo Pap. The issue affects devi…
  • Friday security advisory — community.acer.com · 2026-06-03

Timeline

  • 2026-05-29 — CVE-2026-49200 and CVE-2026-49201 published: Two critical zero-day vulnerabilities affecting Acer Wave 7 routers were disclosed, allowing unauthorized access and persistent backdoor access.
  • 2026-06-03 — Acer confirms active work on patches: Acer announced it is actively working on firmware updates to address the reported vulnerabilities, expected by the end of June 2026.
  • 2026-06-04 — Scworld reports on Acer's vulnerabilities: Scworld published a brief confirming Acer's acknowledgment of the vulnerabilities and the planned patch timeline.
  • 2026-06-04 — Cybersecuritynews covers Acer's response: Cybersecuritynews reported on Acer's preparations for a firmware update to address the critical vulnerabilities.

CVEs

  • CVE-2026-49200
  • CVE-2026-49201

Related entities

  • Zero-day Exploit (Attack Type)
  • Acer (Company)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-798 - Use of Hard-coded Credentials (Cwe)
  • CWE-862 - Missing Authorization (Cwe)
  • Wave 7 Routers (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed