CVE-2026-22225 - Vulnerability Details

- Command Injection Vulnerability on TP-Link Archer BE230 v1.2 and AXE75 v1.0

Description

A command injection vulnerability may be exploited after the admin's authentication in the VPN Connection Service on the Archer BE230 v1.2
and Archer AXE75 v1.0. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability.

This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID.

This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420 and Archer AXE v1.0 < 1.5.3 Build 20260209 rel. 71108.

Published: 2026-02-02

Score: 8.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A command injection flaw exists in the VPN Connection Service of certain TP‑Link routers, allowing an authenticated administrator to run arbitrary operating‑system commands with full device privileges. This weakness can compromise the configuration integrity, network security, and overall availability of the affected network device. The vulnerability is classified as an OS command injection (CWE‑78). Based on the description, the vulnerability can be exploited only after an attacker obtains administrative credentials to the router’s management interface.

Affected Systems

The vulnerability affects TP‑Link Archer BE230 firmware versions earlier than 1.2.4 Build 20251218 rel.70420 and TP‑Link Archer AX53 firmware versions earlier than 1.5.3 Build 20260209 rel.71108, as identified by vendor listings. No other models are explicitly mentioned in the official advisory.

Risk and Exploitability

The CVSS score of 8.5 indicates high severity, while the EPSS score is reported as less than 1 % and the flaw is not listed in CISA’s KEV catalog, suggesting that exploitation in the wild is currently low. Attackers who possess or compromise administrator credentials can exploit the VPN Connection Service to execute commands with system privileges, effectively taking over the device. The risk remains high if administrative access can be obtained, but the likelihood of a public attack appears low at this time.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

TP-Link Systems Inc.

Archer BE230 v1.2

unaffected

Version	Status	Constraints
`0`	affected	< 1.2.4 Build 20251218 rel.70420

TP Link Systems Inc.

Archer AX53 v1.0

unaffected

Version	Status	Constraints
`0`	affected	< < 1.5.3 Build 20260209 rel. 71108

Configuration 1 [-]

AND

cpe:2.3:o:tp-link:archer_be230_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:tp-link:archer_be230:1.20:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Tp-link	Archer Be230	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Archer BE230 firmware to version 1.2.4 Build 20251218 rel.70420 or later and upgrade the Archer AX53 firmware to at least 1.5.3 Build 20260209 rel.71108 via the TP‑Link support site.
If a firmware upgrade cannot be performed immediately, disable the VPN Connection Service or restrict its access with firewall rules or ACLs, limiting connectivity to trusted internal addresses only.
Enforce complex, unique passwords for all administrative accounts and enable two‑factor authentication on the router’s management interface if the feature is available.

Generated by OpenCVE AI on April 18, 2026 at 00:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact Low

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00475.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://www.tp-link.com/en/support/download/archer-axe75/v1/#Firmware
https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware
https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware
https://www.tp-link.com/us/support/download/archer-axe75/v1/#Firmware
https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware
https://www.tp-link.com/us/support/faq/4935/

History

Thu, 19 Mar 2026 22:30:00 +0000

Type	Values Removed	Values Added
Description	A command injection vulnerability may be exploited after the admin's authentication in the VPN Connection Service on the Archer BE230 v1.2. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420.	A command injection vulnerability may be exploited after the admin's authentication in the VPN Connection Service on the Archer BE230 v1.2 and Archer AXE75 v1.0. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420 and Archer AXE v1.0 < 1.5.3 Build 20260209 rel. 71108.
Title	Command Injection Vulnerability on TP-Link Archer BE230 v1.2	Command Injection Vulnerability on TP-Link Archer BE230 v1.2 and AXE75 v1.0
References		https://www.tp-link.com/en/support/download/archer-axe75/v1/#Firmware https://www.tp-link.com/us/support/download/archer-axe75/v1/#Firmware

Fri, 06 Feb 2026 18:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Tp-link archer Be230 Firmware
CPEs		cpe:2.3:h:tp-link:archer_be230:1.20:::::::* cpe:2.3:o:tp-link:archer_be230_firmware::::::::
Vendors & Products		Tp-link archer Be230 Firmware
Metrics		cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}`

Wed, 04 Feb 2026 12:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Tp-link Tp-link archer Be230
Vendors & Products		Tp-link Tp-link archer Be230

Mon, 02 Feb 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 02 Feb 2026 18:15:00 +0000

Type	Values Removed	Values Added
Description		A command injection vulnerability may be exploited after the admin's authentication in the VPN Connection Service on the Archer BE230 v1.2. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420.
Title		Command Injection Vulnerability on TP-Link Archer BE230 v1.2
Weaknesses		CWE-78
References		https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/us/support/faq/4935/
Metrics		cvssV4_0 `{'score': 8.5, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L'}`

Subscriptions

Tp-link Archer Be230 Archer Be230 Firmware

MITRE

Status: PUBLISHED

Assigner: TPLink

Published: 2026-02-02T17:53:42.203Z

Updated: 2026-03-19T22:22:43.155Z

Reserved: 2026-01-06T18:18:52.127Z

Link: CVE-2026-22225

Vulnrichment

Updated: 2026-02-02T18:54:31.397Z

NVD

Status : Modified

Published: 2026-02-02T18:16:15.273

Modified: 2026-03-19T23:16:40.890

Link: CVE-2026-22225

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T00:45:32Z

Weaknesses

CWE-78

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact Low

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object