Acer Addresses Critical Zero-Day Vulnerabilities in Wave 7 Routers

Acer is working to patch two critical zero-day vulnerabilities affecting its Wave 7 mesh routers. The vulnerabilities, reported by researcher Gergo Pap, impact firmware version T7c_GBL_1.01.000055 and earlier. CVE-2026-49200 allows unauthenticated attackers to access plaintext credentials stored in log archives, while CVE-2026-49201 involves a hardcoded cryptographic key that enables persistent backdoor access. Acer plans to release firmware updates to address these issues by the end of June 2026. Until patches are available, users are advised to disable remote management or restrict access to trusted IP addresses. The vulnerabilities pose a significant risk due to their potential for remote exploitation without authentication.

Key Points: • Two critical zero-day vulnerabilities (CVE-2026-49200 and CVE-2026-49201) affect Acer's Wave 7 routers. • The vulnerabilities allow unauthorized access to plaintext credentials and persistent backdoor access. • Acer plans to release patches by the end of June 2026; users should restrict remote access in the meantime.