CVE-2026-49200 / CVE-2026-49201 — Acer Wave-7 mesh routers: cleartext-credential log + hardcoded backup key, CVSS 10.0, no patch

Acer warned of two maximum-severity zero-days in Wave-7 mesh routers on firmware T7c_GBL_1.01.000055 and earlier, with no patch available and a fix targeted only for end-June 2026 (BleepingComputer, 2026-06-03; heise, 2026-06-05). CVE-2026-49200 (broken access control) exposes acer_cgi.log — which stores cleartext web-admin and Telnet credentials — to any unauthenticated client that can reach the management interface. CVE-2026-49201 (hardcoded cryptographic key) is a fixed AES key in the upload.cgi backup handler, letting an attacker decrypt, modify and re-encrypt a device backup to inject a persistent backdoor. Together they form an unauthenticated takeover-plus-persistence chain. Inclusion gate: CVSS 10.0 critical-severity, no patch; no confirmed in-the-wild exploitation or public PoC observed yet. Audience relevance is SME / home-office edge rather than core public-sector infrastructure, but the no-patch status makes the interim controls time-sensitive. Mitigations (Acer): disable remote administration, restrict the management interface to trusted internal segments, change default credentials, and watch for unauthorized logins or config changes. Detection concept: alert on unauthenticated HTTP GETs to /acer_cgi.log and unexpected backup restore events via upload.cgi.

CVE Summary Table