RSS

Acer working to patch max severity zero-days in Wave 7 routers

Brajeshwar1 pts0 comments

Acer working to patch max severity zero-days in Wave 7 routers

Home<br>News<br>Security<br>Acer working to patch max severity zero-days in Wave 7 routers

Acer working to patch max severity zero-days in Wave 7 routers

By Sergiu Gatlan

June 3, 2026

07:35 AM

Acer confirmed that it's working to address two maximum-severity zero-day vulnerabilities affecting its Wave 7 mesh routers.

According to a Friday security advisory, the two security flaws were reported by security researcher Gergo Pap and affect Wave 7 routers running firmware version T7c_GBL_1.01.000055 or earlier.

The first zero-day, a broken access control vulnerability tracked as CVE-2026-49200, can allow unauthenticated attackers to remotely access plaintext credentials stored in log archives.

"The acer_cgi.log file in the device firmware is accessible without authentication via the web interface. This file contains cleartext login credentials (for web and Telnet), leading to unauthorized system access," Acer explained.

The second one (CVE-2026-49201) stems from a hardcoded cryptographic key that lets remote attackers without privileges gain persistent backdoor access to the router.

"The upload.cgi binary, responsible for processing device backups, contains a hardcoded AES encryption key," the company added. "This allows an attacker to decrypt, modify, and re-encrypt system backups, facilitating persistent backdoor injection."

While no security patches are available yet for these two flaws, Acer says it's working on fixes that should be released by the end of the month.

"The vulnerabilities mentioned above are scheduled to be resolved in upcoming firmware updates. The target fix is planned for deployment by the end of June 2026," it said.

The company also "strongly encouraged" all users to update their devices' firmware immediately after the security updates are issued by following the steps below:

Connect your computer to your Acer Wave 7 router via Wi-Fi or an Ethernet cable.

Open a web browser and navigate to the router administration console (http://192.168.76.1 or http://acerconnect.com).

Log in using your administrator credentials.

Navigate to System Management, then select Firmware Update.

Select Check for Updates.

To mitigate attack risks until a patch is available, Acer customers are advised to disable remote management or, if the firmware allows, restrict Internet remote access to trusted IP addresses only.

The Validation Gap: Automated Pentesting Answers One Question. You Need Six.

Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.<br>This guide covers the 6 surfaces you actually need to validate.

Download Now

Related Articles:

Google fixes one actively exploited Android zero-day, 124 flaws<br>Disgruntled researcher leaks &ldquo;BlueHammer&rdquo; Windows zero-day exploit<br>New Windows 'MiniPlasma' zero-day exploit gives SYSTEM access, PoC released<br>New Gogs zero-day flaw lets hackers get remote code execution<br>Max-severity flaw in ChromaDB for AI apps allows server hijacking

Acer

Acer Wave 7

Clear Text

Credentials

Hardcoded Key

Router

Vulnerability

Zero-Day

Sergiu Gatlan

Sergiu is a news reporter who has covered the latest cybersecurity and technology developments for over a decade. Email or Twitter DMs for tips.

Previous Article

Post a Comment Community Rules

You need to login in order to post a comment

Not a member yet? Register Now

You may also like:

Upcoming Webinar

Popular Stories

Critical Windows Netlogon RCE flaw now exploited in attacks

Microsoft fixes outage affecting MFA setup, MySignIn service

Microsoft Exchange Online outage causes email delays, failures

Sponsor Posts

Overdue a password health-check? Audit your Active Directory for free

SecAlerts: real-time vulnerability information directly from the source - no NVD delays.

33% Rise in Healthcare Credential Theft in 2025: What you need to know

#1 MSP Benchmark report 2026: Insights from 1,000+ MSPs on growth, security, artificial intelligence, and key 2026 trends.

New webinar: Behind-the-scenes of device code phishing kits

Login

Username

Password

Remember Me

Sign in anonymously

Sign in with Twitter

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...

SUBMIT

acer zero wave security working severity

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini

Agent Memory: An Anatomy

brgsk17 ptsmemory library user agent semantic libraries
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.