Acer working to patch max severity zero-days in Wave 7 routers

Acer Working to Patch Maximum Severity Zero-Days in Wave 7 Routers

IntroductionAcer has identified and is actively addressing two maximum-severity zero-day vulnerabilities affecting its Wave 7 mesh routers. The issues were reported by security researcher Gergo Pap and impact devices running firmware version T7cGBL1.01.000055 or earlier. The company has confirmed that fixes are in development and are planned for deployment by the end of June 2026.

Affected Devices and Firmware

• Product family: Wave 7 mesh routers
• Affected firmware: versions up to and including T7cGBL1.01.000055
• Scope: vulnerabilities reside within the device’s web-accessible components and backup handling mechanisms

The VulnerabilitiesCVE-2026-49200 — Broken access control

• Nature of the issue: An unauthenticated attacker can remotely access plaintext credentials stored in log archives.
• Impact: Credentials for web and Telnet access could be exposed, enabling unauthorized control over the device.
• Technical note: The acer_cgi.log file within the device firmware is accessible without authentication via the web interface, and it contains cleartext login credentials.

CVE-2026-49201 — Hardcoded cryptographic key

• Nature of the issue: A hardcoded cryptographic key is embedded in the upload.cgi binary that processes device backups.
• Impact: Remote attackers with no privileges could decrypt, modify, and re-encrypt system backups, enabling persistent backdoor access.
• Technical note: The hardcoded AES encryption key in the backup processing component creates a long-term backdoor risk if exploited.

Patch Status and Timeline

• Current status: No security patches are available yet for these two flaws.
• Planned resolution: Acer states that the vulnerabilities are scheduled to be resolved in upcoming firmware updates and the target fix is planned for deployment by the end of June 2026.
• Expectation: Users should monitor for official firmware updates and apply them once released.

Update and Patch ProcessTo apply firmware updates once they are issued:

• Step 1: Connect your computer to the Acer Wave 7 router via Wi-Fi or Ethernet.
• Step 2: Open a web browser and navigate to the router administration console (http://192.168.76.1 or http://acerconnect.com).
• Step 3: Log in with administrator credentials.
• Step 4: Go to System Management, then select Firmware Update.
• Step 5: Click Check for Updates to install available firmware.

Interim Mitigations (Until Patches Are Available)

• If possible, disable remote management on the router.
• If firmware features allow, restrict Internet remote access to trusted IP addresses only.
• Consider reviewing backup procedures and access controls to reduce exposure until fixes are released.

Supplementary Reading and ContextThe broader security landscape includes resources that discuss how automated pentesting answers a single question while other critical security controls require validation. A related material highlights the six surfaces that should be validated beyond basic testing. This context helps frame how organizations can approach end-to-end security validation as patches are rolled out and defenses are tightened.

Related Articles and Contextual News

• Google fixes one actively exploited Android zero-day, 124 flaws
• Disgruntled researcher leaks “BlueHammer” Windows zero-day exploit
• New Windows 'MiniPlasma' zero-day exploit gives SYSTEM access, PoC released
• New Gogs zero-day flaw lets hackers get remote code execution
• Max-severity flaw in ChromaDB for AI apps allows server hijacking

Closing noteAcer has acknowledged the two high-severity vulnerabilities and is actively developing fixes that are expected to be delivered by the end of June 2026. In the meantime, applying the recommended mitigation steps—such as disabling remote management and restricting remote access—can help reduce exposure while firmware updates are prepared and distributed.