Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
The upload.cgi binary, responsible for processing device backups, contains a hardcoded AES encryption key. This allows an attacker to decrypt, modify, and re-encrypt system backups, facilitating persistent backdoor injection.
AnalysisAI
Hardcoded AES encryption key in the upload.cgi binary of the Acer Wave 7 router (firmware T7c_GBL_1.01.000055 and earlier) allows remote unauthenticated attackers to decrypt, tamper with, and re-encrypt device backup files, enabling persistent backdoor injection on affected devices. The CVSS 4.0 score of 10.0 reflects full compromise of confidentiality, integrity, and availability across both the vulnerable component and downstream subsequent systems. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to (1) obtain the static AES key, which is recoverable by anyone with access to the firmware binary, and (2) reach the upload.cgi backup-restore endpoint on a vulnerable Wave 7 router running firmware T7c_GBL_1.01.000055 or earlier. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed and warrant careful interpretation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker on the same LAN - or remote if WAN-side management is enabled - extracts the hardcoded AES key from the firmware image (publicly downloadable from Acer support), captures or generates a router backup file, decrypts it, embeds a malicious startup script or rogue admin credential, re-encrypts it with the same key, and uploads it through the upload.cgi restore flow. Because the device accepts the file as cryptographically valid, the backdoor persists across reboots and firmware-preserving updates, giving the attacker durable control of the router. |
| Remediation | Patch status is not explicitly stated in the supplied data - no vendor-released fix version was provided alongside the advisory reference, so administrators should consult https://community.acer.com/en/kb/articles/19673 directly for the patched firmware build and apply it as soon as it is published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all Acer Wave 7 routers in production; identify devices running firmware T7c_GBL_1.01.000055 or earlier; disable remote management access if operationally feasible. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Wave 7 Router
View allSame weakness CWE-798 – Use of Hard-coded Credentials
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33271
GHSA-5xrr-7q3m-rh98