VYPR
Critical severity9.8NVD Advisory· Published May 29, 2026· Updated Jun 8, 2026

CVE-2026-49201

CVE-2026-49201

Description

The upload.cgi binary, responsible for processing device backups, contains a hardcoded AES encryption key. This allows an attacker to decrypt, modify, and re-encrypt system backups, facilitating persistent backdoor injection.

Affected products

2

Patches

Vulnerability mechanics

References

1

News mentions

2