20260603-bleepingcomputer.com-384ab

< Back to index

Acer working to patch max severity zero-days in Wave 7 routers

Published:

3 June 2026 at 11:35:47

Alert date:

3 June 2026 at 12:01:11

Source:

bleepingcomputer.com

Network Infrastructure, Zero-Day Vulnerabilities, Mobile & IoT

Acer is addressing two maximum-severity zero-day vulnerabilities affecting its Wave 7 mesh routers. The vulnerabilities represent critical security flaws that could allow attackers to compromise the affected router devices. Acer is working on patches to address these zero-day exploits. The maximum severity rating indicates these vulnerabilities pose significant security risks to users of the affected router models.

Technical details

Two maximum-severity zero-day vulnerabilities affect Acer Wave 7 mesh routers. CVE-2026-49200 is a broken access control vulnerability where the acer_cgi.log file contains cleartext login credentials accessible without authentication via the web interface. CVE-2026-49201 involves a hardcoded AES encryption key in the upload.cgi binary that allows attackers to decrypt, modify, and re-encrypt system backups for persistent backdoor injection.

Mitigation steps:

Update firmware immediately when patches become available (targeted for end of June 2026). To mitigate risks until patches are available: disable remote management or restrict Internet remote access to trusted IP addresses only. Firmware update steps: 1) Connect to router via Wi-Fi or Ethernet, 2) Open web browser and navigate to http://192.168.76.1 or http://acerconnect.com, 3) Log in with administrator credentials, 4) Navigate to System Management > Firmware Update, 5) Select Check for Updates.

Affected products:

Acer Wave 7 mesh routers running firmware version T7c_GBL_1.01.000055 or earlier