Description
The upload.cgi binary, responsible for processing device backups, contains a hardcoded AES encryption key. This allows an attacker to decrypt, modify, and re-encrypt system backups, facilitating persistent backdoor injection.
Published: 2026-05-29
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The upload.cgi binary in the Acer Wave 7 router embeds a hard‑coded AES key, allowing an adversary to decrypt system backups, alter their contents, and re‑encrypt them with the same key. By modifying configuration data in this manner the attacker can introduce a persistent backdoor, compromise integrity and confidentiality of the router’s state, and evade future detection. The flaw is a classic example of inappropriate hard‑coded cryptographic material (CWE‑798).

Affected Systems

Acer Wave 7 routers are affected. No specific firmware versions are listed in the advisory, but all builds that include the vulnerable upload.cgi binary are at risk.

Risk and Exploitability

The CVSS score of 10 indicates that exploiting this flaw would provide the attacker with high‑impact capabilities. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, yet the absence of mitigation information means it can be continuously abused. Based on the description, the likely attack vector is the upload.cgi interface, which is reachable on the local network and requires authentication; an attacker who gains local or remote access to this endpoint can perform the exploit.

Generated by OpenCVE AI on May 29, 2026 at 11:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the router firmware to a version that removes or protects the hardcoded encryption key
  • If a firmware update is not immediately available, disable the backup upload feature or restrict its access to trusted administrative devices
  • After firmware changes, re‑create and encrypt any existing backups using a unique, administrator‑controlled key to prevent reuse of compromised backups

Generated by OpenCVE AI on May 29, 2026 at 11:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Acer
Acer wave 7 Router
Vendors & Products Acer
Acer wave 7 Router

Fri, 29 May 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 29 May 2026 10:30:00 +0000

Type Values Removed Values Added
Description The upload.cgi binary, responsible for processing device backups, contains a hardcoded AES encryption key. This allows an attacker to decrypt, modify, and re-encrypt system backups, facilitating persistent backdoor injection.
Title Acer Wave 7 router: Hardcoded Cryptographic Key
Weaknesses CWE-798
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Acer Wave 7 Router
cve-icon MITRE

Status: PUBLISHED

Assigner: Acer

Published:

Updated: 2026-05-29T10:53:32.056Z

Reserved: 2026-05-28T02:47:39.776Z

Link: CVE-2026-49201

cve-icon Vulnrichment

Updated: 2026-05-29T10:53:27.538Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-29T11:16:17.183

Modified: 2026-05-29T14:46:09.837

Link: CVE-2026-49201

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:47:12Z

Weaknesses