CVE-2026-49200 / CVE-2026-49201 — Acer Wave-7 mesh routers: cleartext-credential log + hardcoded backup key, CVSS 10.0, no patch
From CTI Daily Brief — 2026-06-08 · published 2026-06-08 · view item permalink →
Acer warned of two maximum-severity zero-days in Wave-7 mesh routers on firmware T7c_GBL_1.01.000055 and earlier, with no patch available and a fix targeted only for end-June 2026 (BleepingComputer, 2026-06-03; heise, 2026-06-05). CVE-2026-49200 (broken access control) exposes acer_cgi.log — which stores cleartext web-admin and Telnet credentials — to any unauthenticated client that can reach the management interface. CVE-2026-49201 (hardcoded cryptographic key) is a fixed AES key in the upload.cgi backup handler, letting an attacker decrypt, modify and re-encrypt a device backup to inject a persistent backdoor. Together they form an unauthenticated takeover-plus-persistence chain. Inclusion gate: CVSS 10.0 critical-severity, no patch; no confirmed in-the-wild exploitation or public PoC observed yet. Audience relevance is SME / home-office edge rather than core public-sector infrastructure, but the no-patch status makes the interim controls time-sensitive. Mitigations (Acer): disable remote administration, restrict the management interface to trusted internal segments, change default credentials, and watch for unauthorized logins or config changes. Detection concept: alert on unauthenticated HTTP GETs to /acer_cgi.log and unexpected backup restore events via upload.cgi.
CVE Summary Table
| CVE | Product | CVSS | EPSS | KEV | Exploited | Patch | Source |
|---|---|---|---|---|---|---|---|
| CVE-2026-3300 | Everest Forms Pro (WordPress) | 9.8 | ~30% | No | Yes (mass, since 2026-04-13) | v1.9.13 (2026-03-18) | Wordfence |
| CVE-2026-49200 | Acer Wave-7 mesh router | 10.0 | n/a | No | No (no PoC seen) | None (≈end-June 2026) | BleepingComputer |
| CVE-2026-49201 | Acer Wave-7 mesh router | 10.0 | n/a | No | No (no PoC seen) | None (≈end-June 2026) | BleepingComputer |