Security researcher Gergo Pap publicly disclosed two maximum-severity zero-day vulnerabilities in Acer Wave 7 mesh Wi-Fi routers, exposing every device in the product line to unauthenticated credential theft and persistent backdoor access — with no patch available until the end of the month.
CVE-2026-49200 and CVE-2026-49201: Two Attack Surfaces on Acer Wave 7 Firmware
Both vulnerabilities affect Acer Wave 7 routers running firmware version T7c_GBL_1.01.000055 and earlier — the entire current product line. The Wave 7 is marketed as a home and small-office mesh system, placing vulnerable devices on residential networks, home office environments, and small business LANs where patching cadence is typically slow and firmware update awareness is low.
Acer has acknowledged the vulnerabilities and communicated a target patch release at the end of June 2026. No patch was available at the time of disclosure. The affected user base faces a multi-week exposure window with no software fix and limited interim mitigation options.
CVE-2026-49200: Cleartext Admin Credentials in the Unauthenticated acer_cgi.log File
CVE-2026-49200 exploits a missing authentication gate on the router’s acer_cgi.log file. An attacker who can reach the router’s web interface — including from the local network or, if remote management is enabled, from the internet — can download this log file without providing any credentials. The log stores login credentials in cleartext, immediately delivering the router’s admin password to the attacker along with any other credentials the log may contain.
The attack requires no exploitation of memory corruption, no buffer overflow, and no privilege escalation: it is a direct HTTP request to an endpoint that should require authentication but does not. The simplicity of the attack makes it accessible to low-skilled threat actors and compatible with automated scanning tools.
CVE-2026-49201: Hardcoded AES Key in upload.cgi Enables Persistent Backdoor Access
CVE-2026-49201 is more consequential in terms of long-term device security. The router’s upload.cgi binary contains a hardcoded AES encryption key — a fixed cryptographic key embedded in the firmware that cannot be changed by the device owner. This key is used to encrypt and decrypt system backup files. An attacker with knowledge of the key can decrypt captured backup files to extract configuration data, or craft malicious backup files that inject altered configurations when uploaded to the device — establishing persistent backdoor access that survives standard factory resets and firmware updates that do not replace the hardcoded key.
The hardcoded key vulnerability class (catalogued as CWE-321) represents a design decision rather than a coding error. Once the key is publicly known — as it now is following Pap’s disclosure — every device running the vulnerable firmware is permanently compromised from a cryptographic standpoint. The only remediation is a firmware update that replaces the key, which requires users to apply Acer’s end-of-June patch. Users who never apply that update will remain vulnerable indefinitely.
Interim Exposure and Mitigation Options for Wave 7 Owners
No active exploitation of either vulnerability was reported at the time of Pap’s disclosure. However, the public availability of the technical details — including the specific log file path for CVE-2026-49200 and the hardcoded key value for CVE-2026-49201 — lowers the barrier for exploitation and increases the probability of opportunistic attacks targeting Wave 7 devices before a patch becomes available.
The available interim mitigations are network-level rather than software-level. Disabling remote management on the Wave 7 eliminates internet-facing exposure to CVE-2026-49200’s credential theft path. Restricting access to the router’s admin interface to trusted devices on the local network reduces the local-access attack surface. Neither mitigation addresses CVE-2026-49201’s hardcoded key issue, which requires the end-of-June firmware update for full remediation. Wave 7 owners should monitor Acer’s support channels for the patch release and apply it promptly given the severity of the disclosed flaws.
