Skip to main content

Acer Wave 7 Router EUVDEUVD-2026-33271

| CVE-2026-49201 CRITICAL
Use of Hard-coded Credentials (CWE-798)
2026-05-29 Acer GHSA-5xrr-7q3m-rh98
10.0
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
May 29, 2026 - 13:00 vuln.today
CVSS changed
May 29, 2026 - 11:22 NVD
10.0 (CRITICAL)
CVE Published
May 29, 2026 - 08:57 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

The upload.cgi binary, responsible for processing device backups, contains a hardcoded AES encryption key. This allows an attacker to decrypt, modify, and re-encrypt system backups, facilitating persistent backdoor injection.

AnalysisAI

Hardcoded AES encryption key in the upload.cgi binary of the Acer Wave 7 router (firmware T7c_GBL_1.01.000055 and earlier) allows remote unauthenticated attackers to decrypt, tamper with, and re-encrypt device backup files, enabling persistent backdoor injection on affected devices. The CVSS 4.0 score of 10.0 reflects full compromise of confidentiality, integrity, and availability across both the vulnerable component and downstream subsequent systems. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain Wave 7 firmware image
Delivery
Extract hardcoded AES key from upload.cgi
Exploit
Reach router admin interface on LAN or exposed WAN
Install
Craft backup with injected backdoor and re-encrypt
C2
Upload via upload.cgi restore endpoint
Execute
Device accepts backup as authentic
Impact
Persistent router compromise

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to (1) obtain the static AES key, which is recoverable by anyone with access to the firmware binary, and (2) reach the upload.cgi backup-restore endpoint on a vulnerable Wave 7 router running firmware T7c_GBL_1.01.000055 or earlier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and warrant careful interpretation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on the same LAN - or remote if WAN-side management is enabled - extracts the hardcoded AES key from the firmware image (publicly downloadable from Acer support), captures or generates a router backup file, decrypts it, embeds a malicious startup script or rogue admin credential, re-encrypts it with the same key, and uploads it through the upload.cgi restore flow. Because the device accepts the file as cryptographically valid, the backdoor persists across reboots and firmware-preserving updates, giving the attacker durable control of the router.
Remediation Patch status is not explicitly stated in the supplied data - no vendor-released fix version was provided alongside the advisory reference, so administrators should consult https://community.acer.com/en/kb/articles/19673 directly for the patched firmware build and apply it as soon as it is published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all Acer Wave 7 routers in production; identify devices running firmware T7c_GBL_1.01.000055 or earlier; disable remote management access if operationally feasible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-33271 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy