CVE-2026-49200 CRITICAL

CVE-2026-49200: Acer Wave 7 router: Broken Access Control

Vendor Acer
Product Wave 7 router
Weakness CWE-532 · Sensitive info in logs
Published May 29, 2026
Last update May 29, 2026

CVSS base score

10.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

What the vulnerability does

01Description

The acer_cgi.log file in the device firmware is accessible without authentication via the web interface. This file contains cleartext login credentials (for web and Telnet), leading to unauthorized system access.

Key dates

02Disclosure timeline

May 29, 2026 CVE published
May 29, 2026 Record updated