Acer confirmed that it’s working to address two maximum-severity zero-day vulnerabilities affecting its Wave 7 mesh routers.

According to a Friday security advisory, the two security flaws were reported by security researcher Gergo Pap and affect Wave 7 routers running firmware version T7c_GBL_1.01.000055 or earlier.

The first zero-day, a broken access control vulnerability tracked as CVE-2026–49200, can allow unauthenticated attackers to remotely access plaintext credentials stored in log archives.