Acer Wave 7: Critical Zero-Days Exposed, Patch Not Expected Until Late June
Acer confirms two vulnerabilities (CVSS 10.0 and 9.8) in its Wave 7 router, involving cleartext credential leaks and a persistent backdoor via encrypted backup…
Acer published a security advisory on May 28, 2026, for its Wave 7 consumer router, confirming two maximum-severity vulnerabilities in firmware version T7c_GBL_1.01.000055 and earlier. Both flaws are remotely exploitable without authentication. The first exposes administrative credentials in cleartext through a web-accessible log file, while the second allows attackers to inject persistent backdoors by manipulating device backups using a hardcoded AES key. This combination transforms any internet-exposed Wave 7 into an entry point for total network compromise, with persistence that survives reboots. A fix is currently in development with a target release of late June 2026.
- The
acer_cgi.logfile is accessible without authentication and contains cleartext web and Telnet credentials: CVSS 4.0 score of 9.8. - A hardcoded AES key in
upload.cgienables the decryption, modification, and re-encryption of backups for backdoor injection: CVSS 4.0 score of 10.0. - Affected firmware includes version T7c_GBL_1.01.000055 and earlier; the advisory documents no workarounds.
- The patch is scheduled for late June 2026, approximately four weeks after the advisory's publication.
Information Leak: Cleartext Credentials in System Logs
The first vulnerability resides in the acer_cgi.log file, a standard component of the Wave 7 firmware. Acer’s advisory describes the mechanism precisely: the file is reachable via the web interface without requiring any form of authentication. It stores cleartext login credentials for both the web administration interface and the Telnet service.
"The acer_cgi.log file in the device firmware is accessible without authentication via the web interface. This file contains cleartext login credentials (for web and Telnet), leading to unauthorized system access." — Acer Security Advisory
The attack vector is entirely remote and requires no prior privileges or user interaction. The CVSS 4.0 score of 9.8 reflects this configuration: network accessibility, zero attacker complexity, and high impact on system confidentiality, integrity, and availability. The flaw is classified under CWE-532, relating to sensitive information inserted into log files without adequate protection. For a consumer router typically positioned at the boundary between a home network and the internet, this exposure is the digital equivalent of leaving the house keys under the doormat.
The Persistence Chain: From AES Key to Backup Backdoors
The second vulnerability elevates the risk from simple compromise to total, persistent control. The upload.cgi binary, responsible for managing device backups, contains a hardcoded AES key. This key allows anyone who knows it—and hardcoding makes it inherently discoverable—to decrypt a backup exported from the router, modify its content to insert malicious code, and re-import it into the device.
Acer’s advisory explicitly describes the consequence as "facilitating persistent backdoor injection." Persistence is the critical factor here. Unlike volatile changes to runtime configurations, a backdoor injected via a backup is saved to the router's non-volatile memory and survives reboots, partial resets, or firmware updates that do not explicitly overwrite the compromised partition.
The CVSS 4.0 score of 10.0—the theoretical maximum—includes the extended impact on the subsystem (SC:H, SI:H, SA:H), indicating that the compromise is not limited to the device itself but can propagate to connected components. The classification is CWE-798 for hardcoded cryptographic credentials. When combined with the first vulnerability, it creates a two-stage attack chain: initial credential access followed by escalation to silent persistence.
Exposure Window: 30 Days Without Documented Defenses
Acer released the advisory on May 28, 2026, with a timeline that sets the corrective firmware release for "by the end of June 2026." This leaves a gap of approximately four weeks. The advisory does not list temporary workarounds, manual countermeasures, or intermediate mitigation procedures. For a consumer device typically deployed with internet-exposed services—where Telnet is active and credentials are in cleartext—this lag leaves users without verifiable defensive options.
The dossier does not specify whether Acer coordinated the disclosure with threat intelligence networks, if warnings were issued to telecom operators distributing the Wave 7, or if researcher Gergo Pap received a response within a defined timeframe prior to publication. What emerges is an "upcoming fix" communication model that assumes users can wait without active exposure—an optimistic presupposition for consumer hardware managed by non-technical users.
Why It Matters
The dossier documents no specific corrective measures beyond the promised firmware update. The source does not specify the nature of data potentially already exposed by compromised routers, nor does it indicate if verifiable indicators of compromise (IoCs) exist for users. While no infrastructure overlaps currently link these vulnerabilities to known campaigns, the absence of such a link in the brief does not equate to an absence of risk; it is simply undocumented.
The structure of the advisory—detailed on technical mechanisms but vague on immediate countermeasures—reflects a common tension in the responsible disclosure of consumer embedded devices. The vendor prioritizes acknowledging the researcher's discovery and setting a timeline, while the end-user receives a danger warning without operational leverage. In a SOHO or home context, where no SOC exists to monitor anomalies, this asymmetry is particularly pronounced.
The Wave 7 is a consumer-grade Wi-Fi 7 router; typical installations do not include network segmentation, centralized logging, or dedicated technical staff. A compromise of the device is equivalent to a compromise of the perimeter itself, enabling lateral movement toward internal devices—a possibility the brief does not quantify but which home network structures make technically feasible.
FAQ
Which Wave 7 versions are confirmed as vulnerable?
The Acer advisory identifies firmware T7c_GBL_1.01.000055 and earlier. It is not specified if subsequent versions already released are immune.
Is it possible to verify if a router has been compromised?
The dossier provides no indicators of compromise (IoCs) or forensic procedures for end-users. The only documented verification is the installed firmware version.
Why is the second CVSS score 10.0 while the first is 9.8?
The CVSS 4.0 vector for the second vulnerability includes subsystem impact parameters (SC:H/SI:H/SA:H) that elevate the calculation to the theoretical maximum, beyond the primary system impact already present in the first.
The combination of cleartext credentials and persistence via a known-key encrypted backup creates a scenario where responsible disclosure leaves the field exposed until the promised fix. The technical quality of Acer's advisory is clear: complete details, researcher recognition, and a declared timeline. The question the document leaves unanswered is whether this form of transparency is sufficient for those who lack the tools to act on the information provided.
Sources
- https://community.acer.com/en/kb/articles/19673
- https://www.fortinet.com/resources/cyberglossary/national-vulnerability-database-nvd
- https://support.google.com/analytics/answer/6004245?hl=en
- https://support.google.com/google-ads/answer/1722022?hl=en
- https://support.google.com/analytics/answer/14252663?hl=en