Acer says two critical security holes in its Wave 7 mesh routers could let attackers break in remotely, and patches are not available yet. The flaws, CVE-2026-49200 and CVE-2026-49201, affect Wave 7 routers running firmware T7c_GBL_1.01.000055 or earlier. One bug exposes plaintext web and Telnet credentials through an unauthenticated web-accessible log file, while the other uses a hardcoded AES key in backup handling to let attackers alter backups and implant persistent backdoor access.
Why it matters: People and organizations using affected Acer Wave 7 routers could face account compromise and long-term unauthorized access if devices are exposed. This is urgent because there is no patch yet; users should disable remote management or restrict it to trusted IP addresses and apply Acer's firmware update as soon as it is released.
Sergiu Gatlan
2026.06.03
100% relevant
This article appears to be the first clear report establishing Acer's disclosure of CVE-2026-49200 and CVE-2026-49201, the affected Wave 7 firmware versions, interim mitigations, and the expected end-of-June fix window.
← Back to all stories