Description
An authenticated command injection vulnerability exists in the Archer BE450 v1 and BE7200 v1 router that allows an administrator to execute arbitrary system commands through the web management interface. After successfully authenticating to the admin interface, an attacker can leverage the browser’s developer console by supplying a crafted input that is passed to backend system commands without adequate sanitization.

Successful exploitation enables execution of arbitrary commands with elevated privileges on the device, which may allow the attacker to start unauthorized services, modify system configuration, or otherwise fully compromise the router’s operating environment.
Published: 2026-05-27
Score: 8.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated command injection flaw is present in the web management interface of the Archer BE450 v1 and BE7200 V1 routers. After login, a user can manipulate the browser’s developer console to inject payloads that bypass input sanitization. The injection delivers arbitrary shell commands with elevated privileges, enabling full compromise of the router’s operating system, such as starting unauthorized services, modifying configuration, or tampering with network traffic. The vulnerability is identified as CWE‑20 input validation failure.

Affected Systems

TP‑Link Archer BE450 version 1 and TP‑Link Archer BE7200 version 1 are affected. No additional product versions are listed in the CNA data, so only these hardware models and firmware releases are considered at risk.

Risk and Exploitability

The flaw has a CVSS score of 8.5, indicating high severity. Exploitation requires authenticated administrative access to the router, which suggests the attack vector is local networks with admin credentials, but remote exploitation is feasible if an attacker can gain those credentials. The EPSS score is not available, but the lack of KEV listing reduces the likelihood of widespread exploitation at this time. Nonetheless, the ability to execute privileged commands provides a clear path to full device compromise, warranting immediate attention.

Generated by OpenCVE AI on May 27, 2026 at 19:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the router firmware to the latest version released by TP‑Link that addresses the command injection flaw
  • Restrict administrative access to the router to a local network or trusted devices to reduce exposure to the web interface
  • Consider disabling the developer console or enforcing stricter browser security policies to limit the injection surface

Generated by OpenCVE AI on May 27, 2026 at 19:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 27 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description An authenticated command injection vulnerability exists in the Archer BE450 v1 and BE7200 v1 router that allows an administrator to execute arbitrary system commands through the web management interface. After successfully authenticating to the admin interface, an attacker can leverage the browser’s developer console by supplying a crafted input that is passed to backend system commands without adequate sanitization. Successful exploitation enables execution of arbitrary commands with elevated privileges on the device, which may allow the attacker to start unauthorized services, modify system configuration, or otherwise fully compromise the router’s operating environment.
Title Arbitrary Command Injection via Browser Developer Console in TP-Link Archer BE450 and BE7200
Weaknesses CWE-20
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: TPLink

Published:

Updated: 2026-05-27T17:59:21.254Z

Reserved: 2026-04-03T16:59:38.570Z

Link: CVE-2026-5509

cve-icon Vulnrichment

Updated: 2026-05-27T17:59:17.671Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T18:16:29.050

Modified: 2026-05-27T19:44:57.073

Link: CVE-2026-5509

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T19:15:26Z

Weaknesses