Acer Working to Patch Max Severity Zero-Days in Wave 7 Routers

Acer has confirmed it is working to address two maximum-severity zero-day vulnerabilities affecting its Wave 7 mesh routers — consumer and small business networking hardware used widely in home offices and branch environments. Both flaws carry the highest possible CVSS score of 10.0, and neither has a patch available as of the time of publication.

The disclosure follows responsible reporting by security researchers who identified the vulnerabilities and notified Acer before going public. Acer has acknowledged the issues and stated that a firmware update is in development.

What Was Found

Researchers identified two separate vulnerabilities in the Acer Wave 7 router firmware, each independently rated at CVSS 10.0 — the maximum severity score. While full technical details have been withheld pending patch availability, the disclosure indicates:

Both vulnerabilities are remotely exploitable
No authentication is required to trigger either flaw
Successful exploitation enables remote code execution on the affected device
The attack surface is the router's network-accessible administration interface

CVSS 10.0 scores are reserved for vulnerabilities that are network-accessible, require no privileges, need no user interaction, and result in complete compromise of confidentiality, integrity, and availability. Both flaws meet all of those criteria.

Affected Hardware

The vulnerabilities affect the Acer Wave 7 mesh router series, including:

Acer Wave 7 (all firmware versions currently released)
Devices configured in both single-router and mesh (multi-unit) deployments

Acer has not published a specific list of affected firmware versions, indicating the issue may span all current releases.

Why This Matters

Routers are a high-value target for attackers because:

They are always on — routers run continuously, providing persistent footholds once compromised
They sit at the network edge — a compromised router enables traffic interception for all connected devices
Firmware updates are rare — many users never update router firmware, meaning vulnerable devices persist in the field for years
They are trusted devices — traffic from routers is rarely inspected by endpoint security tools

For mesh router systems specifically, compromise of a single node can potentially propagate to others in the mesh, expanding the attacker's foothold across the entire home or office network.

A CVSS 10.0 unauthenticated RCE on a network device is as severe as vulnerabilities get. Any internet-accessible Acer Wave 7 router is at risk of exploitation without any user action.

Current Status

Item	Status
Patch availability	Not yet available
Acer acknowledgement	Confirmed — working on fix
CVE assignments	Pending
Active exploitation	Not confirmed — but no patch exists
Researcher PoC	Withheld pending patch

Acer has not provided a timeline for when the firmware update will be released.

Immediate Mitigations

Until a patch is available, Acer Wave 7 owners should take the following steps:

Reduce Attack Surface

Disable remote management — Turn off any web-based administration access from the WAN interface (internet side). Most home routers have this off by default, but verify your settings.
Verify administration interface is LAN-only — The router's admin panel should only be accessible from devices on your local network, not from the internet.
Change default credentials — If you have not changed the default admin password, do so immediately.

Monitor for Unusual Activity

Check connected devices — Review the router's connected device list for unknown MAC addresses or hostnames
Review outbound traffic — If your router supports traffic logging, look for unusual outbound connections, especially to unfamiliar IP addresses
Watch for configuration changes — Unexpected DNS server changes or port forwarding rules can indicate compromise

Prepare for the Patch

Enable automatic updates if available on your Acer Wave 7 model, or check Acer's support site frequently for firmware updates
Consider temporary replacement — For high-security environments, temporarily replacing the router until a patch is available may be warranted

Background: Mesh Router Security

Mesh networking systems like the Wave 7 use a combination of internet-facing and local network interfaces, making them attractive targets. The decentralized nature of mesh systems — multiple nodes communicating wirelessly — also introduces inter-node communication channels that may not be adequately secured.

Security researchers have increasingly focused on consumer mesh routers as a vulnerability class, with several high-profile disclosures against Netgear Orbi, TP-Link Deco, and similar products in recent years.

What to Watch For

CVE assignment: Acer and the reporting researchers are expected to file CVEs with NVD once the patch is ready
Patch release: Monitor Acer's support site and security advisories
Active exploitation: If threat intelligence surfaces indicating active exploitation, the urgency to mitigate escalates significantly
CISA KEV: If exploitation is confirmed, expect CISA to add these CVEs to the Known Exploited Vulnerabilities catalog with a mandatory federal patching deadline

Source: BleepingComputer — Published June 3, 2026

What Was Found

Both vulnerabilities are remotely exploitable
No authentication is required to trigger either flaw
Successful exploitation enables remote code execution on the affected device
The attack surface is the router's network-accessible administration interface

Affected Hardware

The vulnerabilities affect the Acer Wave 7 mesh router series, including:

Acer Wave 7 (all firmware versions currently released)
Devices configured in both single-router and mesh (multi-unit) deployments

Acer has not published a specific list of affected firmware versions, indicating the issue may span all current releases.

Why This Matters

Routers are a high-value target for attackers because:

They are always on — routers run continuously, providing persistent footholds once compromised
They sit at the network edge — a compromised router enables traffic interception for all connected devices
Firmware updates are rare — many users never update router firmware, meaning vulnerable devices persist in the field for years
They are trusted devices — traffic from routers is rarely inspected by endpoint security tools

For mesh router systems specifically, compromise of a single node can potentially propagate to others in the mesh, expanding the attacker's foothold across the entire home or office network.

A CVSS 10.0 unauthenticated RCE on a network device is as severe as vulnerabilities get. Any internet-accessible Acer Wave 7 router is at risk of exploitation without any user action.

Current Status

Item	Status
Patch availability	Not yet available
Acer acknowledgement	Confirmed — working on fix
CVE assignments	Pending
Active exploitation	Not confirmed — but no patch exists
Researcher PoC	Withheld pending patch

Acer has not provided a timeline for when the firmware update will be released.

Immediate Mitigations

Until a patch is available, Acer Wave 7 owners should take the following steps:

Reduce Attack Surface

Disable remote management — Turn off any web-based administration access from the WAN interface (internet side). Most home routers have this off by default, but verify your settings.
Verify administration interface is LAN-only — The router's admin panel should only be accessible from devices on your local network, not from the internet.
Change default credentials — If you have not changed the default admin password, do so immediately.

Monitor for Unusual Activity

Check connected devices — Review the router's connected device list for unknown MAC addresses or hostnames
Review outbound traffic — If your router supports traffic logging, look for unusual outbound connections, especially to unfamiliar IP addresses
Watch for configuration changes — Unexpected DNS server changes or port forwarding rules can indicate compromise

Prepare for the Patch

Enable automatic updates if available on your Acer Wave 7 model, or check Acer's support site frequently for firmware updates
Consider temporary replacement — For high-security environments, temporarily replacing the router until a patch is available may be warranted

Background: Mesh Router Security

What to Watch For

CVE assignment: Acer and the reporting researchers are expected to file CVEs with NVD once the patch is ready
Patch release: Monitor Acer's support site and security advisories
Active exploitation: If threat intelligence surfaces indicating active exploitation, the urgency to mitigate escalates significantly
CISA KEV: If exploitation is confirmed, expect CISA to add these CVEs to the Known Exploited Vulnerabilities catalog with a mandatory federal patching deadline

Source: BleepingComputer — Published June 3, 2026

Acer Working to Patch Max Severity Zero-Days in Wave 7 Routers

What Was Found

Affected Hardware

Why This Matters

Current Status

Immediate Mitigations

Reduce Attack Surface

Monitor for Unusual Activity

Prepare for the Patch

Background: Mesh Router Security

What to Watch For

VS Code Zero-Day Lets Hackers Steal GitHub Tokens in One Click

Critical FortiClient EMS Vulnerability Exploited in Fresh Attacks

Microsoft Slams Public Zero-Day Disclosures Amid GitHub Researcher Account Removal

Acer Working to Patch Max Severity Zero-Days in Wave 7 Routers

What Was Found

Affected Hardware

Why This Matters

Current Status

Immediate Mitigations

Reduce Attack Surface

Monitor for Unusual Activity

Prepare for the Patch

Background: Mesh Router Security

What to Watch For

VS Code Zero-Day Lets Hackers Steal GitHub Tokens in One Click

Critical FortiClient EMS Vulnerability Exploited in Fresh Attacks

Microsoft Slams Public Zero-Day Disclosures Amid GitHub Researcher Account Removal