Description
The acer_cgi.log file in the device firmware is accessible without authentication via the web interface. This file contains cleartext login credentials (for web and Telnet), leading to unauthorized system access.
Published: 2026-05-29
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an unauthenticated attacker to retrieve the acer_cgi.log file through the web interface. This log file contains clear‑text credentials for both the web management interface and Telnet, providing direct paths to compromise the router if these credentials are used. The weakness is a broken access control defect (CWE‑532).

Affected Systems

Acer Wave 7 routers are affected; the specific firmware versions are not listed, so all models running the current firmware that exposes the acer_cgi.log file are vulnerable.

Risk and Exploitability

The CVSS score of 10.0 indicates a critical severity. The exploit requires only web interface access with no authentication, making it trivially exploitable in any exposed environment. EPSS is not available and the vulnerability is not yet listed in CISA’s KEV catalog, but the lack of authentication and the presence of sensitive credentials make the risk very high.

Generated by OpenCVE AI on May 29, 2026 at 10:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the router firmware to the latest version that removes or secures the acer_cgi.log file.
  • Restrict access to the web management interface using firewall rules or a dedicated VLAN so only trusted IP addresses can reach the port.
  • Disable Telnet service or change its credentials to a strong, unique password; consider disabling Telnet entirely if it is not required.

Generated by OpenCVE AI on May 29, 2026 at 10:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Acer
Acer wave 7 Router
Vendors & Products Acer
Acer wave 7 Router

Fri, 29 May 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 29 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description The acer_cgi.log file in the device firmware is accessible without authentication via the web interface. This file contains cleartext login credentials (for web and Telnet), leading to unauthorized system access.
Title Acer Wave 7 router: Broken Access Control
Weaknesses CWE-532
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Acer Wave 7 Router
cve-icon MITRE

Status: PUBLISHED

Assigner: Acer

Published:

Updated: 2026-05-29T10:54:23.855Z

Reserved: 2026-05-28T02:47:39.776Z

Link: CVE-2026-49200

cve-icon Vulnrichment

Updated: 2026-05-29T10:54:18.524Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-29T09:16:18.270

Modified: 2026-05-29T14:46:09.837

Link: CVE-2026-49200

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:47:14Z

Weaknesses