Acer operating to patch max severity zero-days in Wave 7 routers

Acer showed that it is operating to handle two maximum-severity zero-day vulnerabilities affecting its Wave 7 mesh routers.

Consistent with a Friday safety advisory, the 2 safety flaws had been reported through safety researcher Gergo Pap and impact Wave 7 routers working firmware model T7c_GBL_1.01.000055 or previous.

The primary zero-day, a damaged get admission to keep watch over vulnerability tracked as CVE-2026-49200, can permit unauthenticated attackers to remotely get admission to plaintext credentials saved in log archives.

“The acer_cgi.log record within the software firmware is offered with out authentication by way of the internet interface. This record comprises cleartext login credentials (for internet and Telnet), resulting in unauthorized gadget get admission to,” Acer defined.

The second (CVE-2026-49201) stems from a hardcoded cryptographic key that we could faraway attackers with out privileges achieve chronic backdoor get admission to to the router.

“The add.cgi binary, answerable for processing software backups, comprises a hardcoded AES encryption key,” the corporate added. “This permits an attacker to decrypt, regulate, and re-encrypt gadget backups, facilitating chronic backdoor injection.”

Whilst no safety patches are to be had but for those two flaws, Acer says it is operating on fixes that are supposed to be launched through the top of the month.

“The vulnerabilities discussed above are scheduled to be resolved in upcoming firmware updates. The objective repair is deliberate for deployment through the top of June 2026,” it stated.

The corporate additionally “strongly inspired” all customers to replace their units’ firmware straight away after the protection updates are issued through following the stairs underneath:

1. Attach your pc for your Acer Wave 7 router by way of Wi-Fi or an Ethernet cable.
2. Open a internet browser and navigate to the router management console (http://192.168.76.1 or http://acerconnect.com).
3. Log in the use of your administrator credentials.
4. Navigate to Machine Control, then make a choice Firmware Replace.
5. Make a selection Test for Updates.

To mitigate assault dangers till a patch is to be had, Acer shoppers are suggested to disable faraway control or, if the firmware permits, prohibit Web faraway get admission to to relied on IP addresses simplest.