The vulnerability is an OS command injection that may be exploited after an administrator authenticates to the VPN server configuration module on TP‑Link Archer BE230 v1.2 and Archer AX73 v2 routers. It covers one of multiple distinct OS command injection code paths. The attack allows injection of arbitrary shell commands, effectively granting full administrative control of the device. This could lead to severe compromise of configuration integrity, network security, and service availability. The weakness is classified as CWE‑78.

The affected products are the TP‑Link Archer BE230 v1.2 and Archer AX73 v2 routers. Firmware versions earlier than 1.2.4 (Build 20251218 rel.70420) for the BE230 and earlier than 1.3.1 (Build 20260430) for the AX73 are impacted. Firmware versions at or beyond these releases may or may not include the fix; the vendor has not confirmed the absence or presence of the vulnerability in newer firmware. The issue only applies to routers running the default firmware image provided by TP‑Link. No other vendors or products are affected.

The CVSS score of 8.5 places this vulnerability in the high severity range. EPSS score of 3% indicates a moderate exploitation probability, and it is not currently listed as a known exploited vulnerability in the KEV catalog. Successful exploitation requires prior administrative authentication to the VPN configuration interface, so it is not a pure remote attack but still represents a significant risk if credentials are compromised or the router is otherwise exposed. Attackers would send a specially crafted request after logging in, causing the router to execute arbitrary OS commands with root privileges. Patching the firmware is the only definitive fix, but in the interim disabling the VPN server or monitoring traffic for anomalous command injection attempts can reduce risk.