Security researchers have disclosed two maximum-severity vulnerabilities in Acer’s Wave 7 mesh router — and neither has a patch yet. The first flaw, CVE-2026-49200, allows anyone on the internet to access an unsecured log file inside the router that stores your Wi-Fi login credentials in plain text, with no password required. The second flaw, CVE-2026-49201, exploits a hardcoded encryption key baked into the router’s backup system, allowing an attacker to silently modify a backup file and inject a permanent backdoor that survives reboots and even factory resets.
Acer has acknowledged both vulnerabilities and says patches are planned for release by the end of June 2026. Until then, the company’s recommended workaround is to disable remote management — the feature that lets you control the router from outside your home network. If you do not actively use remote access, turning it off closes the main attack path. Acer’s support page will post firmware update notices when the fix is ready.
How to check if you’re affected
Affected models are the Acer Wave 7 router running firmware version T7c_GBL_1.01.000055 or earlier. Check the label on the bottom of your router — if it says “Acer Wave 7,” open your router’s web interface (usually found at 192.168.1.1 in your browser), navigate to System Management → Remote Management, and turn off remote access. Check the same page in a few weeks for a firmware update and install it as soon as it appears.