Waiting for security patch: Acer Wave-7 router credentials visible

Attackers can gain full control over Acer's Wave-7 routers. The cause are two “critical” security vulnerabilities with the highest rating, for which there is currently no security update. Acer promises a patch by the end of June.

Credentials Visible

In a warning message, the hardware manufacturer explains that both vulnerabilities (CVE-2026-49200, CVE-2026-49201) are rated with the maximum CVSS score of 10 out of 10. The manufacturer states that all routers up to and including firmware T7c_GBL_1.01.000055 are affected.

Due to a lack of isolation, attackers can access the router firmware via the web interface without authentication and view the file acer_cgi.log. This file contains unencrypted credentials, allowing attackers to subsequently gain full control over the devices.

In the second case, attackers can access the upload.cgi-Binary for processing device backups and modify firmware. This allows them to, for example, place a backdoor in the code. How such attacks proceed in detail is currently unclear. However, due to the critical rating, it can be assumed that attackers will not face significant hurdles to carry out a successful attack.

Disconnect router from Internet

As there is currently no security patch or interim solution to secure the routers, owners should disconnect the device from the internet to give attackers no entry point. Since a router is the gateway to one's own network, it is considered particularly worthy of protection. So far, Acer has given no indication that attackers are already targeting devices. However, this could change quickly.

In mid-March, security vulnerabilities in TP-Link's Archer series routers became known, which, among other things, also allowed flashing manipulated firmware.

(des)