Vulnerability intelligence

CVE-2026-49201

The upload.cgi binary, responsible for processing device backups, contains a hardcoded AES encryption key. This allows an attacker to decrypt, modify, and re-encrypt system backups, facilitating persistent backdoor injection.

CVSS Score

Critical

EPSS — Exploit Probability

0.0%

Riskier than 10% of all CVEs

Exploitation

Not in CISA KEV

No federal exploitation record

Remediation

unknown

Check vendor advisories

NVD entry PoC / advisory

1 article across 1 outlet · first covered Jun 3, 2026 · latest Jun 3, 2026

Coverage timeline

Critical flaws in Acer Wave 7 leak credentials, enable backdoors
securityonline.info · Jun 3, 2026