"The acer_cgi.log file in the device firmware is accessible without authentication via the web interface. This file contains cleartext login credentials (for web and Telnet), leading to unauthorized system access," Acer explained.
CVE-2026-49200: exposed log archive with plaintext credentials
Acer confirmed two maximum-severity zero-day vulnerabilities in its Wave 7 mesh routers, the first of which is tracked as CVE-2026-49200. Reported by security researcher Gergo Pap, this flaw is a broken access control issue that "can allow unauthenticated attackers to remotely access plaintext credentials stored in log archives," the company said. Acer's advisory specifies that the problematic artifact is the acer_cgi.log file, which is accessible without authentication through the device web interface and contains cleartext login credentials for both web and Telnet access.
CVE-2026-49201: hardcoded AES key enables persistent backdoor injection
The second vulnerability, CVE-2026-49201, arises from a hardcoded cryptographic key in the router firmware. Acer explained that the upload.cgi binary, which processes device backups, "contains a hardcoded AES encryption key." That key, according to the advisory, allows an attacker to decrypt, modify, and re-encrypt system backups — a chain of actions that "facilitat[es] persistent backdoor injection" by giving remote attackers the ability to tamper with backup content.
Affected devices and firmware versions
Both zero-days affect Acer Wave 7 mesh routers that are running firmware version T7c_GBL_1.01.000055 or earlier. The advisory does not identify specific Wave 7 models by SKU; it specifies the Wave 7 product line and a firmware cutoff, and credits Gergo Pap for reporting the flaws.
Mitigations, firmware-update steps, and timeline
Acer said there are no security patches available yet, but the company is working on fixes and has set a target deployment window: "The vulnerabilities mentioned above are scheduled to be resolved in upcoming firmware updates. The target fix is planned for deployment by the end of June 2026." Until updates are released, Acer advised customers to mitigate risks by disabling remote management or, if the firmware supports it, restricting Internet remote access to trusted IP addresses only.
Acer also "strongly encouraged" all users to update their devices' firmware immediately after the security updates are issued and provided step-by-step instructions for checking and applying firmware updates:
- Connect your computer to your Acer Wave 7 router via Wi‑Fi or an Ethernet cable.
- Open a web browser and navigate to the router administration console (http://192.168.76.1 or http://acerconnect.com).
- Log in using your administrator credentials.
- Navigate to System Management, then select Firmware Update.
- Select Check for Updates.
What this means for security teams, end users, and attackers
Security teams and technologists: The advisory establishes a specific enterprise action window. Teams responsible for Wave 7 deployments should plan to verify firmware versions across inventory (any device running T7c_GBL_1.01.000055 or earlier is in-scope), disable or restrict remote management where feasible, and prepare to apply the forthcoming updates when Acer publishes them by the end of June 2026.
End users and home network owners: Users of Wave 7 routers are urged to watch for Acer's firmware release and to follow the vendor's update steps immediately after a patch becomes available. In the meantime, users can reduce exposure by disabling remote management or limiting remote access to trusted IP addresses if those options exist in the router firmware.
Adversaries and threat actors: The advisory describes two paths an unauthenticated remote attacker could exploit. CVE-2026-49200 can expose plaintext administrative credentials via an accessible log file, while CVE-2026-49201's hardcoded AES key can be used to decrypt, alter, and re-encrypt backups in order to inject persistent backdoors. Both descriptions underline how an attacker could gain and then persist access without needing prior privileges.
Acer has acknowledged the flaws, credited the researcher, and set an explicit remediation target: fixes planned for deployment by the end of June 2026. Until those updates are available, the vendor's recommended mitigations and the firmware-update steps above are the concrete actions provided to reduce risk.




