CRITICAL🇵🇱 Wersja polska

CVE-2026-49200

CVSS 10.0v4.0pub. 2026-05-29upd. 2026-06-08

The acer_cgi.log file in the device firmware is accessible without authentication via the web interface. This file contains cleartext login credentials (for web and Telnet), leading to unauthorized system access.

🤖 AI Analysis
How it works

The acer_cgi.log file stores credentials (usernames and passwords) for the web interface and Telnet service in unencrypted form (cleartext). This file is publicly accessible through the device's web interface without requiring any login credentials. An attacker can download the file directly over the network, read the contained credentials, and use them to take control of the device.

Impact

An attacker gains full access to the device through the web interface or Telnet protocol using stolen credentials, resulting in complete system takeover.

Mitigation & patch

Apply patches available from the manufacturer according to references (https://community.acer.com/en/kb/articles/19673). Until the fix is implemented, it is recommended to restrict access to the device's web interface only to trusted networks or IP addresses and disable the Telnet service.

Who is affected

Acer devices equipped with vulnerable firmware containing the acer_cgi.log file — specific models indicated in manufacturer references

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Acer Wave 7

    HW
    Acer
    wszystkie wersje
  • Acer Wave 7 Firmware

    OS
    Acer
    ≤ t7c_gbl_1.01.000055
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-49201CRITICAL10.0PL ✓ten sam produkt

Zakodowany na stałe klucz AES w upload.cgi umożliwia wstrzyknięcie backdoora

CVE-2026-49190CRITICAL9.4PL ✓ten sam vendor

Command injection w Acer Connect M6E 5G — nieautoryzowane wykonanie poleceń

CVE-2026-49191CRITICAL9.3PL ✓ten sam vendor

Acer Connect M6E 5G — hardkodowane klucze API w M3WebServer (Auth Bypass)

CVE-2026-49185CRITICAL10.0PL ✓ten sam vendor

Command injection w Acer Connect M6E 5G via FieldX MDM adb messaging

CVE-2026-49194CRITICAL9.4PL ✓ten sam vendor

Acer Connect M6E 5G — pominięcie uwierzytelnienia przez procedurę debugowania