The vulnerability CVE-2026-49201 affects the Acer Wave 7 router, specifically version T7c_GBL_1.01.000055. The upload.cgi binary responsible for processing device backups includes a hardcoded AES encryption key. This cryptographic weakness allows an attacker to decrypt system backups, alter their contents, and re-encrypt them, facilitating the injection of persistent backdoors into the device. The vulnerability is classified under CWE-798 (Use of Hard-coded Credentials) and has a critical CVSS 4.0 score of 10, indicating network exploitable without privileges or user interaction and with high impact on confidentiality, integrity, availability, and security requirements. No patch or official remediation level has been provided by Acer as of the published date.

Successful exploitation allows an unauthenticated attacker to fully compromise the device by decrypting and modifying system backups, leading to persistent backdoor installation. This compromises the confidentiality, integrity, and availability of the router and potentially the network it serves. Given the critical CVSS score and the nature of the vulnerability, the impact is severe.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider restricting access to the device management interfaces and backup files to trusted networks and personnel only. Monitor for vendor updates regarding patches or mitigations. Avoid using affected versions if possible.