SB2026060495 - Multiple vulnerabilities in Acer Wave 7 Router

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026060495

SB2026060495 - Multiple vulnerabilities in Acer Wave 7 Router

Published: June 4, 2026

Security Bulletin ID SB2026060495
CSH Severity
High
Patch available
NO
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 vulnerabilities.


1) Inclusion of Sensitive Information in Log Files (CVE-ID: N/A)

CWE-ID: CWE-532 - Information Exposure Through Log Files

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to disclose sensitive information and gain unauthorized system access.

The vulnerability exists due to sensitive information inserted into log archives in acer_cgi.log when handling unauthenticated web interface requests. A remote attacker can access the log file and read cleartext login credentials to disclose sensitive information and gain unauthorized system access.

The exposed credentials include web and Telnet login credentials.


2) Use of Hard-coded Cryptographic Key (CVE-ID: N/A)

CWE-ID: CWE-321 - Use of Hard-coded Cryptographic Key

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to modify encrypted backups and inject a persistent backdoor.

The vulnerability exists due to the use of a hardcoded cryptographic key in upload.cgi when processing device backups. A remote attacker can decrypt, modify, and re-encrypt system backups to modify encrypted backups and inject a persistent backdoor.


Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References