CVE-2026-49200

CRITICAL

Acer Wave 7 router: Broken Access Control

Title source: cna

Description

The acer_cgi.log file in the device firmware is accessible without authentication via the web interface. This file contains cleartext login credentials (for web and Telnet), leading to unauthorized system access.

References (1)

Core 1

Core References

https://community.acer.com/en/kb/articles/19673

Scores

CVSS v3 9.8

EPSS 0.0036

EPSS Percentile 27.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-532

Status published

Products (2)

Acer/Wave 7 router T7c_GBL_1.01.000055

acer/wave_7_firmware < t7c_gbl_1.01.000055

Published May 29, 2026

Tracked Since May 29, 2026