Hardcoded AES Encryption Key Vulnerability in Device Backup Utility by Acer
CVE-2026-49201

10CRITICAL

Key Information:

Vendor: Acer
Status: Wave 7 Router
Vendor: CVE Published:; 29 May 2026

What is CVE-2026-49201?

The upload.cgi binary used in Acer's device backup processes features a hardcoded AES encryption key. This critical flaw enables attackers to decrypt sensitive backups, manipulate their contents, and re-encrypt them, potentially leading to the establishment of persistent backdoors. By exploiting this vulnerability, unauthorized users can gain access to system backups, posing a significant risk to data integrity and system security.

Affected Version(s)

Wave 7 router Windows T7c_GBL_1.01.000055

References

https://community.acer.com/en/kb/articles/19673

CVSS V4

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 29, 2026
Vulnerability Reserved
May 28, 2026

Credit

Gergo Pap

CVE-2026-49201 Data

JSON