Acer working to patch max severity zero-days in Wave 7 routers

Acer disclosed two maximum-severity zero-day flaws in Wave 7 routers (firmware T7c_GBL_1.01.000055 or earlier): an unauthenticated broken access control (CVE-2026-49200) exposing plaintext login credentials from acer_cgi.log, and a hardcoded AES key in upload.cgi (CVE-2026-49201) that permits attackers to decrypt, modify, and re-encrypt backups to inject a persistent backdoor. No fixes are available yet; Acer targets firmware updates by the end of June 2026 and recommends disabling remote management, restricting remote access to trusted IPs, and applying updates once released.