VYPR

Wave 7 Firmware

by Acer

CVEs (2)

  • CVE-2026-49201CriMay 29, 2026
    risk 0.64cvss 9.8epss 0.00

    The upload.cgi binary, responsible for processing device backups, contains a hardcoded AES encryption key. This allows an attacker to decrypt, modify, and re-encrypt system backups, facilitating persistent backdoor injection.

  • CVE-2026-49200CriMay 29, 2026
    risk 0.64cvss 9.8epss 0.01

    The acer_cgi.log file in the device firmware is accessible without authentication via the web interface. This file contains cleartext login credentials (for web and Telnet), leading to unauthorized system access.