Acer Wave 7 Router Zero-Day Vulnerabilities (CVE-2026-49200, CVE-2026-49201): Plaintext Credentials and Hardcoded Encryption Key, No Patch Available

nick

Acer Wave 7 Router Zero-Day Vulnerabilities (CVE-2026-49200, CVE-2026-49201): Plaintext Credentials and Hardcoded Encryption Key, No Patch Available

by

Acer has confirmed two maximum-severity zero-day vulnerabilities in its Wave 7 mesh routers, tracked as CVE-2026-49200 and CVE-2026-49201. Together, they enable a complete device compromise chain: CVE-2026-49200 exposes plaintext administrator and Telnet credentials through an unprotected log file, and CVE-2026-49201 provides a hardcoded AES encryption key that allows persistent backdoor injection via modified device backups. No firmware patch is currently available. Organisations must apply containment measures until Acer releases updated firmware.

What Are the Vulnerabilities?

CVE-2026-49200 — Broken Access Control (Cleartext Credential Exposure): The acer_cgi.log file on the router’s filesystem is accessible without any authentication through the web management interface. This log file contains cleartext login credentials for both the web administration interface and Telnet access. Any remote attacker who can reach the router’s web interface can retrieve the log file and obtain the current administrator password and Telnet credentials — granting immediate full administrative access to the device.

CVE-2026-49201 — Hardcoded Cryptographic Key (Persistent Backdoor via Backup Injection): The upload.cgi binary, which processes device configuration backups, contains a hardcoded AES encryption key. An attacker — including one who gained access via CVE-2026-49200 — can use this key to decrypt legitimate device backups, inject malicious configuration changes or backdoor code, re-encrypt the backup with the same key, and upload it to the router. Because the backup restoration process uses the router’s legitimate firmware update mechanism, the injected backdoor survives both reboots and firmware updates. This provides persistent, undetectable access to the device even after passwords are changed or the router is factory-reset.

The attack chain is clear and complete: (1) retrieve the unprotected acer_cgi.log file to obtain cleartext credentials (CVE-2026-49200), (2) log in to the router as administrator, (3) use the hardcoded AES key to inject a backdoor into a device backup (CVE-2026-49201), (4) upload the modified backup for persistent access that survives remediation. Both vulnerabilities were discovered by security researcher Gergo Pap.

  • CVE-2026-49200: CVSS 9.8 Critical — Unauthenticated access to cleartext credentials
  • CVE-2026-49201: CVSS 9.8 Critical — Hardcoded cryptographic key enabling persistent backdoor

Which Versions Are Affected?

The vulnerabilities affect Acer Wave 7 mesh routers:

  • Acer Wave 7 routers running firmware version T7c_GBL_1.01.000055 and all earlier versions

The Wave 7 is a consumer and small-business mesh Wi-Fi system. While positioned as a consumer product, mesh routers are commonly deployed in small offices, retail locations, remote branch environments, and home offices where they serve as the primary network gateway for business operations.

Is It Being Exploited in the Wild?

No active exploitation has been publicly confirmed at the time of writing. However, both vulnerabilities have been publicly disclosed with full technical details, the attack chain is trivially executable, and no patch is available. The window between public disclosure and active exploitation for router vulnerabilities — particularly those with unauthenticated credential exposure — is typically measured in hours to days. Organisations using Acer Wave 7 routers in any business capacity should apply containment measures immediately and not wait for confirmed exploitation reports.

What Is the Fix?

No firmware patch is available yet. Acer has confirmed the vulnerabilities and stated it is working on patches, but has not released updated firmware as of this advisory. Until a patch is released, the following containment measures are the only available remediation:

  • Restrict access to the router’s web management interface. Configure the router to only accept management connections from trusted internal IP addresses. Do not expose the management interface to the internet, guest networks, or untrusted VLANs. Disable remote administration features entirely.
  • Disable Telnet access. Telnet transmits credentials in cleartext and should never be enabled. Verify Telnet is disabled in the router configuration.
  • Change all router passwords immediately. The unprotected log file may already contain current credentials if the router has been accessible. Change the administrator password and any other configured accounts.
  • Monitor for unusual administrative activity. Review router logs for unexpected administrative logins, configuration changes, or firmware/backup uploads from unrecognised IP addresses.
  • Consider network isolation. Place the Acer Wave 7 router on an isolated network segment with restricted access to other network resources. Treat it as a potentially compromised device.

Recommendations

Apply all containment measures today. Without a patch, the only defence is to restrict access to the vulnerable management interface and change credentials. This is a stopgap — the hardcoded AES key (CVE-2026-49201) means an attacker who ever gained access could have injected a persistent backdoor that survives credential changes. The containment measures reduce the risk of initial exploitation but do not eliminate the possibility of a pre-existing compromise.

For business-critical deployments, plan for replacement. If the Acer Wave 7 router serves as the primary network gateway for a business location and Acer does not release a patch within a reasonable timeframe, consider replacing it with a fully patched alternative from a vendor with a proven track record of responsive security patching. A router with publicly known, unpatched maximum-severity vulnerabilities should not serve as a long-term network gateway.

Monitor Acer’s support site for firmware availability. Apply the firmware update immediately when Acer releases it. Note that if a backdoor was injected via CVE-2026-49201 prior to the firmware update, it may survive the update if it was embedded in a modified backup. After updating, perform a full factory reset and reconfigure the router from scratch rather than restoring from a backup — this eliminates any injected backdoors that may be present in backup files.

Audit other Acer networking equipment. The hardcoded cryptographic key pattern (CVE-2026-49201) may not be isolated to the Wave 7 model. If your organisation uses other Acer networking equipment, monitor Acer’s security advisories for similar vulnerabilities and apply firmware updates as they become available.

References

This advisory was first covered in the broader Vulnerability Intelligence Report — June 4, 2026. For a comprehensive view of all active threats and newly disclosed vulnerabilities, refer to the full report.

Threat Modeling and Security by Design

Threat modeling and Security by Design methods, tools, and approaches to help secure your business and IT landscape.

Terms of Service | Privacy Policy

AI chatbot & help center by 99helpers.com

Threat Modeling
Threat Modeling Tool
Threat Modeling Tool Explainer
What is Threat Modeling?
STRIDE Threat Modeling
PASTA Threat Modeling
Automated Threat Modeling
Threat Modeling Framework
CISO Security Mind Map 2026
CIS Controls
OWASP Top 10

© Threat-Modeling.com

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!