CRITICAL🇵🇱 Wersja polska

CVE-2026-49201

CVSS 10.0v4.0pub. 2026-05-29upd. 2026-06-08

The upload.cgi binary, responsible for processing device backups, contains a hardcoded AES encryption key. This allows an attacker to decrypt, modify, and re-encrypt system backups, facilitating persistent backdoor injection.

🤖 AI Analysis
How it works

The upload.cgi binary stores the AES key directly in the application code, with no possibility of changing it by the user or administrator. An attacker who obtains a device backup file can use this key to decrypt it, introduce malicious modifications, and then re-encrypt the modified file. Such a prepared backup can be restored on the device, resulting in permanent embedding of a backdoor in the system.

Impact

An attacker can gain persistent, unauthorized control over the device by injecting a backdoor through a manipulated backup. The high CVSS score of 10.0 indicates a complete breach of confidentiality, integrity, and availability of both the target system and related systems.

Mitigation & patch

Apply patches available from the manufacturer according to the references (https://community.acer.com/en/kb/articles/19673). Due to the hardcoded cryptographic key, the only effective solution is a firmware update that provides a new implementation without hardcoded credentials.

Who is affected

Devices using the binary upload.cgi component for backup handling — detailed information about versions is indicated in the manufacturer's references (Acer).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Acer Wave 7

    HW
    Acer
    wszystkie wersje
  • Acer Wave 7 Firmware

    OS
    Acer
    ≤ t7c_gbl_1.01.000055
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-49200CRITICAL10.0PL ✓ten sam produkt

Ujawnienie danych uwierzytelniających w pliku logu firmware urządzeń Acer

CVE-2026-49190CRITICAL9.4PL ✓ten sam vendor

Command injection w Acer Connect M6E 5G — nieautoryzowane wykonanie poleceń

CVE-2026-49191CRITICAL9.3PL ✓ten sam vendor

Acer Connect M6E 5G — hardkodowane klucze API w M3WebServer (Auth Bypass)

CVE-2026-49185CRITICAL10.0PL ✓ten sam vendor

Command injection w Acer Connect M6E 5G via FieldX MDM adb messaging

CVE-2026-49194CRITICAL9.4PL ✓ten sam vendor

Acer Connect M6E 5G — pominięcie uwierzytelnienia przez procedurę debugowania