CVE-2026-49201
Analyzed Analyzed - Analysis Complete

Hardcoded AES Key in Upload.cgi Allows Backup Tampering

Vulnerability report for CVE-2026-49201, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-29

Last updated on: 2026-06-08

Assigner: 8fc372e3-d9c5-46e4-9410-38469745c639

Description

The upload.cgi binary, responsible for processing device backups, contains a hardcoded AES encryption key. This allows an attacker to decrypt, modify, and re-encrypt system backups, facilitating persistent backdoor injection.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-29
Last Modified
2026-06-08
Generated
2026-07-09
AI Q&A
2026-05-29
EPSS Evaluated
2026-07-08
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
acer wave_7_firmware to t7c_gbl_1.01.000055 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-798 The product contains hard-coded credentials, such as a password or cryptographic key.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability involving a hardcoded AES encryption key in the upload.cgi binary allows attackers to decrypt, modify, and re-encrypt system backups, enabling persistent backdoor injection and unauthorized system access.

Such unauthorized access and potential data manipulation could lead to violations of common standards and regulations like GDPR and HIPAA, which require the protection of sensitive data and system integrity.

Failure to secure backups and prevent unauthorized access may result in non-compliance with these regulations, potentially exposing personal or protected health information to compromise.

Executive Summary

The vulnerability exists in the upload.cgi binary of the Acer Wave 7 router, which processes device backups. It contains a hardcoded AES encryption key, allowing an attacker to decrypt, modify, and re-encrypt system backups.

This enables the attacker to inject a persistent backdoor into the system, compromising the device's security.

Impact Analysis

An attacker exploiting this vulnerability can gain unauthorized access to the router by decrypting and modifying system backups.

This can lead to persistent backdoor injection, allowing continuous unauthorized control over the device without detection.

Such control can compromise network security, potentially exposing connected devices and sensitive data.

Mitigation Strategies

Users of the Acer Wave 7 router running firmware version T7c_GBL_1.01.000055 or earlier should update their devices to the security firmware update once it is released.

Acer is developing a patch expected by the end of June 2026 to address the vulnerability involving hardcoded cryptographic keys and broken access control.

Until the patch is available, users should be cautious of unauthorized access and avoid exposing the device to untrusted networks.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49201. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart