Acer addresses critical zero-day vulnerabilities in Wave 7 routers

As reported by Bleeping Computer, Acer has confirmed it is actively working to resolve two critical zero-day vulnerabilities impacting its Wave 7 mesh routers. These security flaws, reported by researcher Gergo Pap, affect firmware version T7c_GBL_1.01.000055 and earlier.

The first vulnerability, CVE-2026-49200, is a broken access control flaw that allows unauthenticated attackers to access plaintext credentials from log archives, potentially leading to unauthorized system access. The second, CVE-2026-49201, involves a hardcoded cryptographic key, enabling remote attackers to gain persistent backdoor access by decrypting and re-encrypting system backups.

Acer plans to release firmware updates to address these issues by the end of June 2026. Until then, users are advised to disable remote management or restrict access to trusted IP addresses. The company strongly encourages users to update their firmware immediately once the patches become available.

Source: Bleeping Computer