CVE-2026-49200 | The acer_cgi.log file in the device firmware is accessible w… | CVSS 10.0 CRITICAL

Description

The acer_cgi.log file in the device firmware is accessible without authentication via the web interface. This file contains cleartext login credentials (for web and Telnet), leading to unauthorized system access.

Metadata

CVE ID: CVE-2026-49200
State: PUBLISHED
Assigner: Acer
Reserved: 2026-05-28 02:47 UTC
Published: 2026-05-29 08:51 UTC
Last updated: 2026-05-29 10:54 UTC
Primary CWE: CWE-532
CWE-532: Sensitive information inserted into log archives
Vendor / Product: Acer / Wave 7 router
Sources: cve.org · NVD

Severity & Metrics

10.0 CRITICAL CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
Acer	Wave 7 router	Windows	T7c_GBL_1.01.000055 ≤ *

Weakness (CWE)

CWE	Source	Description
CWE-532	cna	CWE-532: Sensitive information inserted into log archives

CVSS scores (1)

Score	Severity	Version	Source	Vector
10.0	CRITICAL	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References (1)

https://community.acer.com/en/kb/articles/19673