CVE-2026-49201
Hardcoded AES Key in Upload.cgi Allows Backup Tampering
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: 8fc372e3-d9c5-46e4-9410-38469745c639
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| acer | wave_7_router | to T7c_GBL_1.01.000055 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-798 | The product contains hard-coded credentials, such as a password or cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the upload.cgi binary of the Acer Wave 7 router, which processes device backups. It contains a hardcoded AES encryption key, allowing an attacker to decrypt, modify, and re-encrypt system backups.
This enables the attacker to inject a persistent backdoor into the system, compromising the device's security.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can gain unauthorized access to the router by decrypting and modifying system backups.
This can lead to persistent backdoor injection, allowing continuous unauthorized control over the device without detection.
Such control can compromise network security, potentially exposing connected devices and sensitive data.
What immediate steps should I take to mitigate this vulnerability?
Users of the Acer Wave 7 router running firmware version T7c_GBL_1.01.000055 or earlier should update their devices to the security firmware update once it is released.
Acer is developing a patch expected by the end of June 2026 to address the vulnerability involving hardcoded cryptographic keys and broken access control.
Until the patch is available, users should be cautious of unauthorized access and avoid exposing the device to untrusted networks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability involving a hardcoded AES encryption key in the upload.cgi binary allows attackers to decrypt, modify, and re-encrypt system backups, enabling persistent backdoor injection and unauthorized system access.
Such unauthorized access and potential data manipulation could lead to violations of common standards and regulations like GDPR and HIPAA, which require the protection of sensitive data and system integrity.
Failure to secure backups and prevent unauthorized access may result in non-compliance with these regulations, potentially exposing personal or protected health information to compromise.