Vulnerability Details and Attack Vector
Acer is preparing a firmware update to address a critical zero-day vulnerability affecting its Wave 7 routers, following disclosure by independent security researcher Gergo Pap. The issue, impacting devices running older firmware versions, stems from two distinct weaknesses that together create a severe remote exploitation risk. The first flaw is a broken access control problem, where the router exposes a log file through its web interface without requiring authentication. This file contains plaintext credentials for both the administrative web panel and Telnet services, allowing an attacker to remotely obtain valid login details and bypass all authentication controls.
The second vulnerability involves the use of a hardcoded AES encryption key embedded in the router’s binary. This key, which is fixed and not securely managed, handles configuration backup and restore operations. Attackers can decrypt router configuration backups, modify them with malicious instructions or backdoor access, and re-upload the altered files to the device. This enables persistent compromise, granting attackers continued control even after system reboots or credential changes.
Impact and Mitigation
The combination of these vulnerabilities creates a highly exploitable attack surface. Threat actors could gain full administrative access, intercept network traffic, manipulate DNS settings, or recruit affected devices into botnets. Routers exposed to the internet are particularly at risk, as exploitation requires no prior authentication or user interaction. Acer has confirmed that a security patch is under development and is expected for release by the end of June 2026. The company urges users to update firmware immediately once the fix becomes available. As interim precautions, users should disable remote administration features and restrict router management interface access to trusted internal networks only.
Source: Cyber Security News
