How is CVE-2026-49201 exploited?

Network reachability (required): The attacker must reach the router's upload.cgi endpoint over the network (AV:N). Authentication (not-required): No credentials are needed; PR:N means the endpoint is exploitable by an unauthenticated attacker. Victim interaction (not-required): UI:N: no user has to click, open, or approve anything for the exploit to succeed. Attack complexity (info): AC:L with AT:N: the hardcoded key is static, so the exploit is reliable and free of timing or environmental preconditions.

What is the impact of CVE-2026-49201?

Decrypts intercepted or extracted device backups and reads their full contents, including configuration and any embedded secrets. Modifies backup contents and re-encrypts them with the hardcoded key so the device accepts tampered backups, enabling persistent backdoor injection. Leverages the modified backup to gain durable control of the router, affecting integrity and availability of traffic passing through it. Pivots into connected systems on the network the router fronts, with high confidentiality, integrity, and availability impact on those subsequent systems (SC:H/SI:H/SA:H).

Back to search

CRITICALCVE-2026-49201Published 2026-05-29Modified 2026-05-29CNA Acer

CVE-2026-49201: Acer Wave 7 router: Hardcoded Cryptographic Key

The upload.cgi binary, responsible for processing device backups, contains a hardcoded AES encryption key. This allows an attacker to decrypt, modify, and re-encrypt system backups, facilitating persistent backdoor injection.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A hardcoded AES key in the upload.cgi binary on Acer Wave 7 routers lets anyone who obtains a device backup decrypt it, tamper with its contents, and re-encrypt it so the device accepts the modified file. The flaw is reachable over the network with no authentication and no user interaction, and successful exploitation enables persistent backdoor injection with full read, write, and availability impact on the device and connected systems. No fix has been published; HarborGuard tracks the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against images in customer registries and CI pipelines, including custom-built images that bundle Acer Wave 7 firmware components or the upload.cgi binary.

Available

Triage

Triage is available with the published CVSS v4 score of 10.0 (critical) weighted against each customer's compliance policy, so the finding is routed to the right inbox inside each customer org with severity reflecting their own exposure and exploitability rules.

Available

Patch

Because no upstream fix exists yet, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available the moment Acer publishes a fixed firmware or component version, with auto-remediation customers automatically receiving a rebuild, regression-test run, and PR opened against affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the router's upload.cgi endpoint over the network (AV:N).
AuthenticationNot required
No credentials are needed; PR:N means the endpoint is exploitable by an unauthenticated attacker.
Victim interactionNot required
UI:N: no user has to click, open, or approve anything for the exploit to succeed.
Attack complexityDetail
AC:L with AT:N: the hardcoded key is static, so the exploit is reliable and free of timing or environmental preconditions.

Blast Radius

Decrypts intercepted or extracted device backups and reads their full contents, including configuration and any embedded secrets.
Modifies backup contents and re-encrypts them with the hardcoded key so the device accepts tampered backups, enabling persistent backdoor injection.
Leverages the modified backup to gain durable control of the router, affecting integrity and availability of traffic passing through it.
Pivots into connected systems on the network the router fronts, with high confidentiality, integrity, and availability impact on those subsequent systems (SC:H/SI:H/SA:H).

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of the Acer advisory for this CVE, with the patched-image rebuild becoming available automatically the moment an upstream fix ships and, for environments with auto-remediation enabled, a rebuild plus regression run plus PR opened against affected workloads at that point. In the meantime, compensating-control guidance is available, including isolating Wave 7 devices on a dedicated management VLAN, restricting reachability to the upload.cgi endpoint via network policy, treating any existing backup files as compromised key material, and gating any feature that relies on backup integrity behind additional out-of-band verification until a vendor patch is published.

See how HarborGuard automates this

CVSS v4.0: 10.0
Severity: CRITICAL
Fixed in: —
Affected Products: 1

Affected packages

Acer / Wave 7 router
≤ *

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References

community.acer.com