Acer working to patch max severity zero-days in Wave 7 routers

Key Points:

• Two maximum-severity zero-day vulnerabilities (CVE-2026-49200 and CVE-2026-49201) have been identified in Acer's Wave 7 mesh routers, allowing unauthorized access to sensitive information and persistent backdoor access.
• The first vulnerability enables unauthenticated attackers to access plaintext credentials stored in log files, while the second allows for backdoor access via a hardcoded cryptographic key, affecting routers running firmware version T7c_GBL_1.01.000055 or earlier.
• Users are advised to disable remote management and restrict Internet access to trusted IPs until patches are released, which are expected by the end of June 2026.

Technical Details: CVE-2026-49200 allows attackers to retrieve plaintext credentials from the acer_cgi.log file without authentication, while CVE-2026-49201 involves a hardcoded AES key that enables unauthorized modifications to system backups.

MITRE ATT&CK Techniques: None mentioned

IOCs Mentioned: None mentioned