Summary

Acer has acknowledged the existence of two high-severity zero-day vulnerabilities affecting its Wave 7 mesh routers, as reported by security researcher Gergo Pap. These flaws could allow attackers to access stored credentials and gain persistent backdoor access due to hardcoded cryptographic keys in the firmware. Although no patches are currently available, Acer plans to release fixes by the end of June 2026.

What Happened

Acer's Wave 7 mesh routers are vulnerable to two critical zero-day vulnerabilities that could lead to unauthorized system access. The first vulnerability, a broken access control issue, allows attackers to remotely retrieve plaintext credentials from log archives without authentication. This flaw is tracked as CVE-2026-49200 and poses significant risks by exposing sensitive login information.

The second vulnerability, identified as CVE-2026-49201, involves a hardcoded cryptographic key within the firmware's upload.cgi binary. This flaw enables remote attackers to decrypt, modify, and re-encrypt system backups, granting them persistent backdoor access to the router. The presence of this hardcoded key undermines the security integrity of the device.

Technical Details

The first vulnerability stems from an accessible acer_cgi.log file within the device firmware, which contains cleartext login credentials for web and Telnet interfaces. This flaw allows attackers to bypass authentication mechanisms via the web interface, leading to unauthorized access.

For the second vulnerability, the hardcoded AES encryption key in the upload.cgi binary is a critical security lapse. Attackers can exploit this flaw by decrypting system backups, altering them with malicious code, and re-encrypting them to maintain persistent backdoor access. This capability allows attackers to manipulate the router's operations without detection.

Affected Products and Fixed Versions

The vulnerabilities affect Wave 7 mesh routers running firmware version T7c_GBL_1.01.000055 or earlier. Users of these devices are at risk until a security update is released by Acer, which is scheduled for deployment by the end of June 2026.

Defender Guidance

To mitigate the risks posed by these vulnerabilities, Acer strongly advises users to take immediate action:

• Disable remote management on their routers to prevent unauthorized access.
• If possible, restrict internet remote access to trusted IP addresses only. This measure limits potential attack vectors and reduces exposure to malicious actors.

These steps are crucial in safeguarding devices until official patches are available, ensuring that attackers cannot exploit these vulnerabilities to compromise network security.

What Remains Unclear

While Acer has provided a timeline for the release of fixes, specific details about the nature of the patches or any additional mitigations remain undisclosed. Additionally, there is no information on whether these vulnerabilities have been actively exploited in the wild, leaving users uncertain about the immediate threat level.

Tags

Acer, Wave 7 mesh routers, zero-day vulnerabilities, broken access control, hardcoded cryptographic key, CVE-2026-49200, CVE-2026-49201