Acer Wave 7 Routers Hit by Two Max-Severity Zero-Day Vulnerabilities

Acer has confirmed it is actively developing patches for two maximum-severity zero-day vulnerabilities impacting its Wave 7 mesh routers. Both flaws were reported by independent security researcher Gergo Pap and affect devices running firmware version T7c_GBL_1.01.000055 or earlier. The company expects firmware updates to ship by the end of June 2026.

The first vulnerability, tracked as CVE-2026-49200, is a broken access control flaw that allows unauthenticated remote attackers to retrieve plaintext credentials from log archives. According to Acer's advisory, the acer_cgi.log file containing cleartext web and Telnet login credentials is accessible without authentication through the router's web interface, providing a direct path to full system compromise. Users concerned about exposed credentials can verify their accounts using an online password checker and rotate any reused passwords immediately. The second flaw, CVE-2026-49201, stems from a hardcoded AES encryption key embedded in the upload.cgi binary that processes device backups. This key allows remote, unprivileged attackers to decrypt, modify, and re-encrypt system backups, enabling persistent backdoor injection that survives factory resets.

Until patches are released, Acer strongly recommends disabling remote management features or restricting internet-facing administrative access to trusted IP addresses where firmware permits. Users can audit their network exposure by running a port scanner against their public IP to identify any open router management interfaces. The standard update path involves logging into the router console at 192.168.76.1 or acerconnect.com, navigating to System Management, and selecting Firmware Update. A broader privacy checkup of connected home devices is also advised given the severity of these flaws, which require no authentication and no user interaction to exploit.