Acer Wave 7 mesh routers zero-days (multiple vulnerabilities)
Vulnerability
Summary
Hide ▲
Show ▼
Two maximum-severity zero-days in Acer Wave 7 mesh routers expose affected devices to plaintext credential disclosure and persistent backdoor access while firmware fixes are still pending. The flaws affect routers running T7c_GBL_1.01.000055 or earlier and are tracked as CVE-2026-49200 and CVE-2026-49201. No security patches are available yet, but Acer says fixes are planned for end of June 2026. Temporary risk reduction relies on disabling remote management or limiting Internet access to trusted IP addresses.
Timeline
-
03.06.2026 14:35 2 articles · 7h ago
Acer confirms two zero-days in Wave 7 mesh routers
Initial DisclosureAcer confirmed two maximum-severity zero-days in Wave 7 mesh routers running firmware version T7c_GBL_1.01.000055 or earlier. CVE-2026-49200 can expose plaintext web and Telnet login credentials from acer_cgi.log without authentication, and CVE-2026-49201 uses a hardcoded AES key in upload.cgi to enable persistent backdoor access. Acer said no security patches were available yet, planned firmware fixes for the end of June 2026, and advised customers to disable remote management or restrict Internet remote access to trusted IP addresses until updates are installed.
Show sources
- Acer working to patch max severity zero-days in Wave 7 routers — www.bleepingcomputer.com — 03.06.2026 14:35
- Acer working to patch max severity zero-days in Wave 7 routers — www.bleepingcomputer.com — 03.06.2026 14:35