Acer is addressing two maximum-severity zero-day vulnerabilities in its Wave 7 mesh routers that can expose plaintext credentials or enable persistent backdoor access. The flaws, tracked as CVE-2026-49200 and CVE-2026-49201, affect firmware version T7c_GBL_1.01.000055 or earlier, with fixes planned by the end of June 2026. #Acer #Wave7 #CVE-2026-49200 #CVE-2026-49201
Keypoints
- Acer confirmed two critical zero-days in Wave 7 mesh routers.
- CVE-2026-49200 can expose plaintext web and Telnet credentials from log archives.
- CVE-2026-49201 uses a hardcoded AES key to enable persistent backdoor access.
- The flaws affect firmware version T7c_GBL_1.01.000055 or earlier.
- Acer plans to release firmware fixes by the end of June 2026 and advises disabling remote management.