Acer Addresses Two Critical Zero-Days in Wave 7 Routers
Acer is developing firmware updates to patch two maximum-severity zero-day vulnerabilities affecting its Wave 7 mesh routers, which could grant attackers administrative control.
Acer has confirmed it is actively working to resolve two critical zero-day vulnerabilities that impact its Wave 7 mesh router series. These security flaws, reported by researcher Gergo Pap, affect devices running firmware version T7c_GBL_1.01.000055 and earlier.
The first vulnerability, tracked as CVE-2026-49200, is a broken access control flaw. It allows unauthenticated attackers to remotely access sensitive plaintext credentials stored within the router's log archives. Specifically, the acer_cgi.log file on the device can be accessed without authentication via the web interface, exposing cleartext login credentials for both web and Telnet access, thereby enabling unauthorized system access.
The second zero-day, identified as CVE-2026-49201, stems from a hardcoded cryptographic key within the upload.cgi binary. This binary is responsible for processing device backups. The presence of a hardcoded AES encryption key allows a remote, unprivileged attacker to decrypt, modify, and then re-encrypt system backups. This capability can be leveraged to inject persistent backdoors into the router's firmware, granting long-term unauthorized access.
As of the advisory, no security patches are immediately available for these two vulnerabilities. However, Acer has stated that it is prioritizing the development of fixes and aims to release them through firmware updates by the end of June 2026. The company strongly advises users to apply these updates as soon as they become available to secure their devices.
To mitigate the risks until the patches are deployed, Acer recommends that customers disable remote management features on their routers. If the firmware allows, users should restrict Internet remote access to only trusted IP addresses. This measure helps limit the attack surface and prevents unauthorized access from external networks.
Users will be able to update their firmware by accessing the router's administration console, typically via http://192.168.76.1 or http://acerconnect.com. After logging in with administrator credentials, they should navigate to System Management, select Firmware Update, and then choose 'Check for Updates' to install the forthcoming security release.
These vulnerabilities highlight the ongoing risks associated with Internet of Things (IoT) devices, particularly home networking equipment, which often become targets for attackers seeking to expand botnets or gain a foothold into home networks. The disclosure of hardcoded keys and easily accessible credentials underscores the importance of robust security development practices for manufacturers.