Acer Wave 7 Router RCE via CVE-2024-41591 and CVE-2024-41592

Acer has issued an urgent advisory regarding two maximum-severity Zero-Day vulnerabilities affecting its Wave 7 (W7) Wi-Fi 7 mesh routers. These flaws, which both carry a CVSS score of 10.0, allow unauthenticated remote attackers to achieve full RCE on the device. According to BleepingComputer, the vulnerabilities were identified and reported by SSD Secure Disclosure, highlighting significant security gaps in the router’s management and diagnostic interfaces.

Technical Analysis of the Dual RCE Flaws

The first critical CVE, CVE-2024-41591, is a stack-based buffer overflow vulnerability located within the ‘cfg’ service. This service is responsible for handling configuration via the router’s web management interface. Specifically, an attacker can send a specially crafted HTTP request targeting the ‘account’ parameter. Because the system fails to perform adequate boundary checks on the input, the buffer can be overflowed, allowing the attacker to overwrite memory and redirect execution flow to arbitrary code. Since this occurs prior to authentication, it provides an open door for initial access into the network.

The second vulnerability, CVE-2024-41592, is a command injection flaw residing in the router’s system diagnostic tools. These tools are often used for network troubleshooting, such as ping or traceroute functions. By manipulating the input parameters of these diagnostic functions, an attacker can bypass sanitization routines and execute system-level commands. Given that these services often run with high privileges, successful exploitation results in the attacker gaining root access to the underlying operating system of the router.

Impact on Enterprise and Home Networks

When these two vulnerabilities are exploited, the router effectively becomes a C2 pivot point for the attacker. Once the gateway is compromised, the actor can perform Lateral Movement to target internal workstations, servers, and IoT devices. For organizations utilizing these routers in small offices or remote work environments, the risk extends to credential theft and the interception of unencrypted traffic. Furthermore, compromised routers are frequently recruited into botnets to perform DDoS attacks or act as proxies for other malicious activities to obfuscate the attacker’s true origin.

Mitigation and Patching Acer Wave 7 Zero-Day Vulnerabilities

Defenders must prioritize the deployment of the latest Acer Wave 7 router security patches to mitigate these risks. Acer has released firmware version 1.0.0.123, which reportedly addresses both CVEs by implementing proper input validation and memory safety checks.

Recommendations for Network Administrators

• Firmware Updates: Immediately verify the current firmware version of all Acer Wave 7 devices. If the version is below 1.0.0.123, update the device through the official Acer support portal.
• Disable Remote Management: Ensure that the web management interface is not accessible from the public internet. Access should be restricted to local network segments or secured behind a VPN.
• Monitor for Exploitation: Security teams should investigate how to detect CVE-2024-41591 exploit attempts by reviewing SIEM or SOC logs for unusual POST requests to the ‘cfg’ service or unexpected system commands originating from the router’s IP address.
• Review TTPs: Consider the TTP of threat actors who target edge devices; they often attempt to disable EDR agents on connected hosts once they have gained a foothold through the router.

By ensuring patching Acer Wave 7 zero-day vulnerabilities is completed promptly, organizations can prevent the high-impact consequences of a full perimeter breach. If a device is suspected of compromise, a full factory reset followed by an immediate firmware update and credential rotation for all connected accounts is recommended.