Critical severity9.8NVD Advisory· Published May 29, 2026· Updated Jun 8, 2026
CVE-2026-49201
CVE-2026-49201
Description
The upload.cgi binary, responsible for processing device backups, contains a hardcoded AES encryption key. This allows an attacker to decrypt, modify, and re-encrypt system backups, facilitating persistent backdoor injection.
Affected products
2Patches
Vulnerability mechanics
References
1- community.acer.com/en/kb/articles/19673nvdVendor Advisory
News mentions
2- ⚡ Weekly Recap: Instagram Account Hacks, Android Zero-Day, GitHub Worm and MoreThe Hacker News · Jun 8, 2026
- Acer working to patch max severity zero-days in Wave 7 routersBleepingComputer · Jun 3, 2026