Acer has confirmed it is developing a security firmware update to address two critical zero-day vulnerabilities discovered in its Wave 7 family of routers.
The company published an advisory on June 2, 2026, saying the flaws affect devices running firmware version T7c_GBL_1.01.000055 or earlier. Both issues were reported responsibly by researcher Gergo Pap.
Acer Vulnerabilities
Two separate, remotely exploitable bugs allow unauthenticated attackers to take full control of affected routers without user interaction.
Broken access control exposing credentials
The first flaw is a broken access control issue that allows unauthenticated access to the acer_cgi.log file through the router’s web interface. That log contains sensitive information, including plaintext administrative and Telnet credentials.
Because the file can be read without authentication, attackers can extract valid login details and use them to access and manage the device.
The vulnerability maps to CWE-532 and carries a CVSS score of 10.0, reflecting both ease of exploitation and severe impact.
Hardcoded AES key enabling persistent backdoor injection
The second flaw exists in the upload.cgi binary, which processes backup files using a hardcoded AES encryption key. An attacker who knows the key can decrypt configuration backups, modify them (for example to inject a malicious configuration or backdoor), re-encrypt, and restore the altered backup to achieve persistent compromise.
This issue is categorized as CWE-798 and also has a CVSS score of 10.0. Successful exploitation can give long-term administrative control of the router and a foothold for lateral movement across connected networks.
Both vulnerabilities are remotely exploitable without authentication or user interaction, significantly increasing the risk of widespread abuse.
With administrative control, attackers can exfiltrate data, monitor traffic, maintain persistence, and pivot into internal networks threats that are especially damaging in home and small-office environments where Wave 7 devices are commonly used.
Acer’s Response
Acer stated a security firmware update is in development and expects to publish it by the end of June 2026. Users should apply that update immediately once it is available.
- Restrict management access: Limit the router management interface (web/remote) to trusted IPs or disable remote management entirely.
- Disable unnecessary services: Turn off Telnet, remote administration, and other unused services.
- Monitor device logs and behavior: Look for unexpected configuration changes, new accounts, or unusual network traffic.
- Change default credentials: Replace any factory or previously exposed credentials with strong, unique passwords after patching.
- Backup safely: When exporting backups, treat them as sensitive material and verify integrity after the vendor patch.
Acer advises checking the router’s administration panel at http://192.168.76.1 or http://acerconnect.com. Log in with administrator credentials, go to System Management → Firmware Update, and install the provided firmware. Do not interrupt the update process, as doing so could corrupt firmware and render the device unusable.
This incident highlights persistent security problems in embedded devices specifically insecure logging that leaks credentials and hardcoded cryptographic keys that allow backup manipulation.
Users of affected Wave 7 routers should prepare to install Acer’s forthcoming patch and apply the interim mitigation steps to reduce exposure.
No Comment! Be the first one.