CVE-2026-49201
published 2026-05-29CVE-2026-49201: The upload.cgi binary, responsible for processing device backups, contains a hardcoded AES encryption key. This allows an attacker to decrypt, modify, and…
PriorityP359critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.26%
17.5th percentile
The upload.cgi binary, responsible for processing device backups, contains a hardcoded AES encryption key. This allows an attacker to decrypt, modify, and re-encrypt system backups, facilitating persistent backdoor injection.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| acer | wave_7_firmware | <= t7c_gbl_1.01.000055 | — |
| acer | wave_7_router | T7c_GBL_1.01.000055 – * | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Hackernews
⚡ Weekly Recap: Instagram Account Hacks, Android Zero-Day, GitHub Worm and More
blogs_hackernews·2026-06-08·CVSS 8.4
CVE-2025-48595 [HIGH] ⚡ Weekly Recap: Instagram Account Hacks, Android Zero-Day, GitHub Worm and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Instagram Account Hacks, Android Zero-Day, GitHub Worm and More
Monday again. The weekend was meant to be quiet. It wasn't. Last week had poisoned packages, a broken AI helper, and a worm tearing through repos. The ugly part: basic tricks still worked.
A chatbot got fooled. A bot token got leaked inside the malware. The same old mistakes showed up again. And while everyone chased the loud stuff, quieter attackers sat in inboxes for months, reading mail and stealing it bit by bit.
Lots to cover. Grab coffee. Read up.
## ⚡ Threat of the Week
Miasma Worm Hits 73 Microsoft GitHub Repositories in Supply Chain
Bleepingcomputer
Acer working to patch max severity zero-days in Wave 7 routers
blogs_bleepingcomputer·2026-06-03·CVSS 10.0
CVE-2026-49200 [CRITICAL] Acer working to patch max severity zero-days in Wave 7 routers
## Acer working to patch max severity zero-days in Wave 7 routers
## Sergiu Gatlan
Acer confirmed that it's working to address two maximum-severity zero-day vulnerabilities affecting its Wave 7 mesh routers.
According to a Friday security advisory , the two security flaws were reported by security researcher Gergo Pap and affect Wave 7 routers running firmware version T7c_GBL_1.01.000055 or earlier.
The first zero-day, a broken access control vulnerability tracked as CVE-2026-49200 , can allow unauthenticated attackers to remotely access plaintext credentials stored in log archives.
"The acer_cgi.log file in the device firmware is accessible without authentication via the web interface. This file contains cleartext login credentials (for web and Telnet), leading to unauthorized system
2026-05-29
Published