How is CVE-2026-49200 exploited?

Network reachability (required): The attacker must be able to reach the router's web interface over the network (AV:N). Authentication (not-required): The vulnerable log file is served without any authentication (PR:N), so no account is needed. Victim interaction (not-required): No user action on the router or any victim is needed; the attacker simply requests the file (UI:N). Attack complexity (info): Attack complexity is low (AC:L); the exploit is a single unauthenticated HTTP request with no race or environmental conditions.

What is the impact of CVE-2026-49200?

Reads cleartext web admin and Telnet credentials directly from acer_cgi.log without logging in. Logs in to the web UI and Telnet service as a legitimate administrator using the stolen credentials, taking full control of router configuration. Modifies routing, DNS, firewall, and remote-access settings, enabling traffic interception, redirection, or persistent backdoor access on the network the router serves. Disrupts connectivity for everyone behind the router by altering or disabling network services.

Back to search

CRITICALCVE-2026-49200Published 2026-05-29Modified 2026-05-29CNA Acer

CVE-2026-49200: Acer Wave 7 router: Broken Access Control

The acer_cgi.log file in the device firmware is accessible without authentication via the web interface. This file contains cleartext login credentials (for web and Telnet), leading to unauthorized system access.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is a broken access control flaw in the Acer Wave 7 router, where the acer_cgi.log file is served by the web interface without any authentication. An unauthenticated attacker who can reach the router over the network can download the log and read cleartext web and Telnet login credentials, then use those credentials to take full administrative control of the device. No fix has been published by the vendor; HarborGuard tracks the advisory and will surface a patched-image rebuild as soon as upstream ships one.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment, with CVE feeds ingested from upstream sources within minutes of publication and matched against router and embedded-firmware images in customer registries and build pipelines, including custom-built images. Coverage extends to images that bundle or derive from the affected Acer Wave 7 firmware.

Available

Triage

Triage is available with the published CVSS v4 score of 10.0 (critical) attached to each finding and weighted against each customer org's compliance policy, so internet-exposed network appliances escalate faster than isolated lab images. Findings route to the inbox configured for critical network-device issues inside each customer org.

Available

Patch

No upstream fix has been published, so a patched-image rebuild is not yet available. HarborGuard re-checks the Acer advisory on every ingest cycle and will make a rebuilt image at the fix version available the moment the vendor publishes one; auto-remediation customers will then receive a rebuild, a regression-test run, and a PR opened against affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the router's web interface over the network (AV:N).
AuthenticationNot required
The vulnerable log file is served without any authentication (PR:N), so no account is needed.
Victim interactionNot required
No user action on the router or any victim is needed; the attacker simply requests the file (UI:N).
Attack complexityDetail
Attack complexity is low (AC:L); the exploit is a single unauthenticated HTTP request with no race or environmental conditions.

Blast Radius

Reads cleartext web admin and Telnet credentials directly from acer_cgi.log without logging in.
Logs in to the web UI and Telnet service as a legitimate administrator using the stolen credentials, taking full control of router configuration.
Modifies routing, DNS, firewall, and remote-access settings, enabling traffic interception, redirection, or persistent backdoor access on the network the router serves.
Disrupts connectivity for everyone behind the router by altering or disabling network services.

How HarborGuard Handles This

Available on HarborGuard: continuous tracking of the Acer advisory for CVE-2026-49200, with detection running against any image that ships or derives from Wave 7 firmware. Until Acer publishes a fix, suggested compensating controls include blocking access to the router's web interface from untrusted networks, restricting management to a dedicated VLAN or VPN, disabling Telnet, and rotating any credentials that may have been exposed via the log file. The moment an upstream fix is released, a patched-image rebuild becomes available on HarborGuard, and environments with auto-remediation enabled get the rebuild, a regression run, and a PR opened against affected workloads automatically.

See how HarborGuard automates this

CVSS v4.0: 10.0
Severity: CRITICAL
Fixed in: —
Affected Products: 1

Affected packages

Acer / Wave 7 router
≤ *

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References

community.acer.com