Main Vulnerability Database Vulnerabilities #VU133366

Use of Hard-coded Cryptographic Key in Acer Wave 7 Router - #VU133366

Published: June 4, 2026

Vulnerability identifier: #VU133366

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: N/A

CWE-ID: CWE-321

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Acer

Affected software:
Acer Wave 7 Router

Detailed vulnerability description

The vulnerability allows a remote attacker to modify encrypted backups and inject a persistent backdoor.

The vulnerability exists due to the use of a hardcoded cryptographic key in upload.cgi when processing device backups. A remote attacker can decrypt, modify, and re-encrypt system backups to modify encrypted backups and inject a persistent backdoor.

Remediation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability. The target fix is planned for deployment by vendor by the end of June 2026.

Sources

https://community.acer.com/en/kb/articles/19673

Use of Hard-coded Cryptographic Key in Acer Wave 7 Router - #VU133366

Detailed vulnerability description

Remediation

Sources

Please verify you're human