CVE-2026-49200 Overview
CVE-2026-49200 is an information disclosure vulnerability in Acer device firmware. The acer_cgi.log file is accessible without authentication through the web interface. The file stores cleartext login credentials for both the web management interface and Telnet service. An unauthenticated remote attacker can retrieve the file and obtain valid credentials, leading to full administrative access to the device.
The weakness is classified as [CWE-532] Insertion of Sensitive Information into Log File. The vulnerability is network-exploitable, requires no privileges, and needs no user interaction.
Critical Impact
Unauthenticated retrieval of acer_cgi.log exposes cleartext web and Telnet credentials, enabling complete device takeover by remote attackers.
Affected Products
- Acer device firmware (specific models referenced in the vendor advisory)
- Devices exposing the web management interface to untrusted networks
- Devices with Telnet enabled using credentials stored in acer_cgi.log
Discovery Timeline
- 2026-05-29 - CVE-2026-49200 published to NVD
- 2026-05-29 - Last updated in NVD database
Technical Details for CVE-2026-49200
Vulnerability Analysis
The affected firmware writes runtime authentication data into acer_cgi.log on the device file system. The web server serves this log file through the management interface without enforcing authentication or access control. Any client able to reach the device over HTTP can request the file directly and parse its contents.
Because the credentials are stored in cleartext, no offline cracking is required. The same credentials grant access to the web administration interface and to Telnet, which typically provides shell-level control of the device. An attacker who retrieves the file gains full administrative control of the device, including the ability to modify configuration, pivot into the internal network, and persist on the device firmware.
The vulnerability falls under the Information Disclosure and Hardcoded/Cleartext Credentials categories. It also represents a Broken Access Control issue on the web interface, since a sensitive resource is served without authentication checks. See the Acer Community Support Article for vendor guidance.
Root Cause
Two design flaws combine to create the vulnerability. First, the firmware logs sensitive authentication material in cleartext, violating secure logging practices. Second, the web server does not gate access to log resources behind authentication, allowing anonymous retrieval of internal files.
Attack Vector
The attack vector is network-based. An attacker reaches the device web interface and issues a direct HTTP request for acer_cgi.log. The server returns the file without any credential check. The attacker then extracts the embedded username and password and authenticates to the web interface or Telnet service as a legitimate administrator. No exploit code is required because the attack is a simple unauthenticated HTTP GET.
Detection Methods for CVE-2026-49200
Indicators of Compromise
- HTTP GET requests for acer_cgi.log or similar log paths originating from external or unexpected source addresses
- Successful Telnet logins to Acer devices from IP addresses not associated with administrators
- Configuration changes on the device shortly after anonymous access to the web interface
- New or modified administrative accounts on affected devices
Detection Strategies
- Inspect web server access logs on affected devices for requests targeting acer_cgi.log and return codes of 200.
- Alert on Telnet authentication events from IP ranges outside the administrative network.
- Compare current device configuration against a known-good baseline to surface unauthorized modifications.
Monitoring Recommendations
- Forward device web and Telnet logs to a centralized log platform for retention and correlation.
- Monitor northbound and southbound traffic for the affected devices to detect post-compromise pivoting.
- Track outbound connections from device management interfaces, which should normally be minimal.
How to Mitigate CVE-2026-49200
Immediate Actions Required
- Restrict access to the device web interface and Telnet service to trusted management networks using firewall rules or ACLs.
- Rotate all credentials configured on affected devices, including web administration and Telnet accounts.
- Apply firmware updates published by Acer as referenced in the Acer Community Support Article.
- Audit affected devices for unauthorized configuration changes or accounts and remediate any findings.
Patch Information
Refer to the Acer Community Support Article for the official advisory, affected models, and firmware versions that address the cleartext credential logging and unauthenticated file access issues.
Workarounds
- Disable Telnet on the device and require management over secured channels where supported.
- Block external access to the device web management interface at the network perimeter.
- Place affected devices on an isolated management VLAN with strict ingress filtering until firmware updates are applied.
- Where the device supports it, remove or clear acer_cgi.log and disable verbose logging that captures credentials.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
