Acer confirmed that it’s working to address two maximum-severity zero-day vulnerabilities affecting its Wave 7 mesh routers.
According to a Friday security advisory, the two security flaws were reported by security researcher Gergo Pap and affect Wave 7 routers running firmware version T7c_GBL_1.01.000055 or earlier.
The first zero-day, a broken access control vulnerability tracked as CVE-2026-49200, can allow unauthenticated attackers to remotely access plaintext credentials stored in log archives.
“The acer_cgi.log file in the device firmware is accessible without authentication via the web interface. This file contains cleartext login credentials (for web and Telnet), leading to unauthorized system access,” Acer explained.
The second one (CVE-2026-49201) stems from a hardcoded cryptographic key that lets remote attackers without privileges gain persistent backdoor access to the router.
“The upload.cgi binary, responsible for processing device backups, contains a hardcoded AES encryption key,” the company added. “This allows an attacker to decrypt, modify, and re-encrypt system backups, facilitating persistent backdoor injection.”
While no security patches are available yet for these two flaws, Acer says it’s working on fixes that should be released by the end of the month.
“The vulnerabilities mentioned above are scheduled to be resolved in upcoming firmware updates. The target fix is planned for deployment by the end of June 2026,” it said.
The company also “strongly encouraged” all users to update their devices’ firmware immediately after the security updates are issued by following the steps below:
- Connect your computer to your Acer Wave 7 router via Wi-Fi or an Ethernet cable.
- Open a web browser and navigate to the router administration console (http://192.168.76.1 or http://acerconnect.com).
- Log in using your administrator credentials.
- Navigate to System Management, then select Firmware Update.
- Select Check for Updates.
To mitigate attack risks until a patch is available, Acer customers are advised to disable remote management or, if the firmware allows, restrict Internet remote access to trusted IP addresses only.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.
