CVE-2026-22229 - Vulnerability Details

- Command Injection Vulnerability on TP-Link Archer BE230 v1.2 and Deco BE25 v1.0

Description

A command injection vulnerability may be exploited after the admin's authentication via the import of a crafted VPN client configuration file on the TP-Link Archer BE230 v1.2 and Deco BE25 v1.0. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability.
This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID.
This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420 and Deco BE25 v1.0: through 1.1.1 Build 20250822.

Published: 2026-02-02

Score: 8.6 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability is an operating system command injection that can be triggered after an administrator authenticates by importing a specially crafted VPN client configuration file. The flaw allows an attacker who can perform the import to execute arbitrary commands on the device, giving complete administrative control and compromising the router’s configuration, network security, and service availability.

Affected Systems

TP‑Link Systems Inc. devices. The Archer BE230 running firmware version 1.2 (up to but not including 1.2.4 Build 20251218 rel. 70420) and the Deco BE25 with firmware 1.0 through 1.1.1 Build 20250822 are affected.

Risk and Exploitability

The issue carries a high CVSS score of 8.6, indicating substantial impact if successfully exploited. The EPSS score is listed as less than 1 %, implying that current exploitation activity is low or not observed. The vulnerability is not present in CISA’s KEV catalog, so known exploit activity is not confirmed. Attackers require authenticated administrator access to trigger the import path. If an attacker can obtain admin credentials through credential compromise, social engineering or lateral movement, they could supply the malicious configuration file and gain full control of the device. The exploitation path is thus limited to environments where administrative access can be achieved remotely or the attacker can influence an existing admin user.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

TP-Link Systems Inc.

Archer BE230 v1.2

unaffected

Version	Status	Constraints
`0`	affected	< 1.2.4 Build 20251218 rel.70420

TP-Link Systems Inc.

Deco BE25 v1.0

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.1.1 Build 20250822

Configuration 1 [-]

AND

cpe:2.3:o:tp-link:archer_be230_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:tp-link:archer_be230:1.20:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Tp-link	Archer Be230	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest TP‑Link firmware update for the affected devices – the update eliminates the vulnerable import functionality (for example, firmware 1.2.4 or later for Archer BE230, 1.1.2 or later for Deco BE25).
Until the firmware is updated, restrict access to the router’s administration interface to trusted IP addresses only, and disable or remove the VPN client configuration import feature if the firmware allows configuration changes.
Educate administrators about safe import practices, keep import logs monitored, and review the router’s activity for any suspicious import attempts.

Generated by OpenCVE AI on April 16, 2026 at 17:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact Low

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00107.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware
https://www.tp-link.com/en/support/download/deco-be25/#Firmware
https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware
https://www.tp-link.com/sg/support/download/deco-be25/#Firmware
https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware
https://www.tp-link.com/us/support/download/deco-be25/v1/#Firmware
https://www.tp-link.com/us/support/faq/4935/

History

Mon, 02 Mar 2026 18:00:00 +0000

Type	Values Removed	Values Added
Description	A command injection vulnerability may be exploited after the admin's authentication via the import of a crafted VPN client configuration file on the TP-Link Archer BE230 v1.2. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420.	A command injection vulnerability may be exploited after the admin's authentication via the import of a crafted VPN client configuration file on the TP-Link Archer BE230 v1.2 and Deco BE25 v1.0. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420 and Deco BE25 v1.0: through 1.1.1 Build 20250822.
Title	Command Injection Vulnerability on TP-Link Archer BE230 v1.2	Command Injection Vulnerability on TP-Link Archer BE230 v1.2 and Deco BE25 v1.0
References		https://www.tp-link.com/en/support/download/deco-be25/#Firmware https://www.tp-link.com/sg/support/download/deco-be25/#Firmware https://www.tp-link.com/us/support/download/deco-be25/v1/#Firmware

Fri, 06 Feb 2026 18:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Tp-link archer Be230 Firmware
CPEs		cpe:2.3:h:tp-link:archer_be230:1.20:::::::* cpe:2.3:o:tp-link:archer_be230_firmware::::::::
Vendors & Products		Tp-link archer Be230 Firmware
Metrics		cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}`

Wed, 04 Feb 2026 12:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Tp-link Tp-link archer Be230
Vendors & Products		Tp-link Tp-link archer Be230

Mon, 02 Feb 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 02 Feb 2026 18:15:00 +0000

Type	Values Removed	Values Added
Description		A command injection vulnerability may be exploited after the admin's authentication via the import of a crafted VPN client configuration file on the TP-Link Archer BE230 v1.2. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420.
Title		Command Injection Vulnerability on TP-Link Archer BE230 v1.2
Weaknesses		CWE-78
References		https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/us/support/faq/4935/
Metrics		cvssV4_0 `{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L'}`

Subscriptions

Tp-link Archer Be230 Archer Be230 Firmware

MITRE

Status: PUBLISHED

Assigner: TPLink

Published: 2026-02-02T17:58:32.205Z

Updated: 2026-03-02T17:40:15.901Z

Reserved: 2026-01-06T18:18:52.127Z

Link: CVE-2026-22229

Vulnrichment

Updated: 2026-02-02T18:31:16.316Z

NVD

Status : Modified

Published: 2026-02-02T18:16:15.673

Modified: 2026-03-02T18:16:26.340

Link: CVE-2026-22229

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T17:45:27Z

Weaknesses

CWE-78

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact Low

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object