CVE-2026-49201

Summary

The upload.cgi binary, responsible for processing device backups, contains a hardcoded AES encryption key. This allows an attacker to decrypt, modify, and re-encrypt system backups, facilitating persistent backdoor injection.

Affected Software

VendorProductVersion RangeStatus
AcerWave 7 routerT7c_GBL_1.01.000055 <= *affected

Weaknesses

  • CWE-798: CWE-798: Using Hardcoded Credentials

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References