Description
A command
injection vulnerability has been identified in the DHCP option processing logic
in multiple TP-Link router models, due to insufficient validation of externally
supplied DHCP option data. An adjacent attacker may exploit this
vulnerability by supplying crafted DHCP responses, potentially resulting in unauthorized
command execution during device initialization or provisioning workflows. This
typically occurs when the device is in a factory-default or unconfigured state.





Successful
exploitation may allow an adjacent, unauthenticated attacker to execute
arbitrary commands with elevated privileges, potentially leading to full
compromise of the affected device and unauthorized administrative control.
Published: 2026-06-22
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A command injection flaw exists in the DHCP option parsing logic of several TP‑Link routers, caused by insufficient input validation of externally supplied DHCP option data. An attacker who can send crafted DHCP responses while the device is in a factory‑default or otherwise unconfigured state can execute arbitrary shell commands with elevated privileges. Successful exploitation would give the attacker full administrative control over the device, enabling complete compromise of the router and any network resources it manages.

Affected Systems

The vulnerability affects multiple TP‑Link models, including Archer MR402 v1, Archer C20 v5 and v6, Archer MR200 v07 and v8, Archer VR2100 v1, and TL‑MR6400 v7. These devices process DHCP traffic during initial setup or provisioning, making the flaw relevant to the listed firmware releases.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity. The EPSS score is not available, and the vulnerability is not currently listed in the CISA KEV catalog, but the attack is likely to be mounted by an adjacent, unauthenticated adversary who can influence the DHCP traffic the router receives. Because the flaw is exploitable during the brief factory‑default period, the window of opportunity is narrow yet potentially critical, especially in environments where an untrusted device can be connected to the network during provisioning or in point‑of‑sale scenarios.

Generated by OpenCVE AI on June 22, 2026 at 19:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Download and flash the latest firmware update from TP‑Link’s official website for the affected router models.
  • Immediately reboot the router after flashing and complete the initial setup to establish a secure configuration.
  • If possible, disable or restrict DHCP server functionality until the router is fully configured and protected.

Generated by OpenCVE AI on June 22, 2026 at 19:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description A command injection vulnerability has been identified in the DHCP option processing logic in multiple TP-Link router models, due to insufficient validation of externally supplied DHCP option data. An adjacent attacker may exploit this vulnerability by supplying crafted DHCP responses, potentially resulting in unauthorized command execution during device initialization or provisioning workflows. This typically occurs when the device is in a factory-default or unconfigured state. Successful exploitation may allow an adjacent, unauthenticated attacker to execute arbitrary commands with elevated privileges, potentially leading to full compromise of the affected device and unauthorized administrative control.
Title Unauthenticated Command Injection via DHCP Option Handling in Multiple TP-Link Routers
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: TPLink

Published:

Updated: 2026-06-22T18:25:03.149Z

Reserved: 2026-06-09T22:14:54.973Z

Link: CVE-2026-11834

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T19:30:06Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')