The upload.cgi binary, responsible for processing device backups, contains a hardcoded AES encryption key. This allows an attacker to decrypt, modify, and re-encrypt system backups, facilitating persistent backdoor injection.
The upload.cgi binary stores the AES key directly in the application code, with no possibility of changing it by the user or administrator. An attacker who obtains a device backup file can use this key to decrypt it, introduce malicious modifications, and then re-encrypt the modified file. Such a prepared backup can be restored on the device, resulting in permanent embedding of a backdoor in the system.
An attacker can gain persistent, unauthorized control over the device by injecting a backdoor through a manipulated backup. The high CVSS score of 10.0 indicates a complete breach of confidentiality, integrity, and availability of both the target system and related systems.
Apply patches available from the manufacturer according to the references (https://community.acer.com/en/kb/articles/19673). Due to the hardcoded cryptographic key, the only effective solution is a firmware update that provides a new implementation without hardcoded credentials.
Devices using the binary upload.cgi component for backup handling — detailed information about versions is indicated in the manufacturer's references (Acer).
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XAcer Wave 7
HWAcerwszystkie wersjeAcer Wave 7 Firmware
OSAcer≤ t7c_gbl_1.01.000055
Related vulnerabilities
Ujawnienie danych uwierzytelniających w pliku logu firmware urządzeń Acer
Command injection w Acer Connect M6E 5G — nieautoryzowane wykonanie poleceń
Acer Connect M6E 5G — hardkodowane klucze API w M3WebServer (Auth Bypass)
Command injection w Acer Connect M6E 5G via FieldX MDM adb messaging
Acer Connect M6E 5G — pominięcie uwierzytelnienia przez procedurę debugowania