Description
An OS
command injection vulnerability exists in the VPN module of TP-Link Archer AX12
v1, AX17 v1. AX18 v1, and AX1300 v1.6 routers. This vulnerability allows an
adjacent, authenticated attacker to execute arbitrary commands on the device by
importing a specially crafted VPN client configuration file. The issue stems
from improper filtering of special characters. 





Successful
exploitation of this vulnerability may enable an attacker to gain full control
of the affected device, potentially compromising configuration integrity,
network security, and service availability.
Published: 2026-06-10
Score: 8.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a command injection flaw in the VPN module of certain TP‑Link Archer routers. An authenticated attacker on the local network can craft a special VPN client configuration file that, when processed, allows arbitrary operating‑system commands to run on the router. This can lead to full control of the device, compromising the routing configuration, network security posture, and service availability. The weakness corresponds to CWE‑78, improper filtering of shell characters.

Affected Systems

Affected models include TP‑Link Archer AX12 v1, Archer AX17 v1, Archer AX18 v1, and Archer AX1300 v1.6. All are TP‑Link routers running proprietary firmware that incorporates the vulnerable VPN module. Users should be aware that the flaw exists in the versions listed and any delivery of configuration files to the device.

Risk and Exploitability

The CVSS base score of 8.5 indicates high severity, while the EPSS score is not available, but the absence of a KEV listing does not diminish risk. Attack requires local network presence and pre‑existing authentication to the gateway, meaning it targets users who have some level of local access. Given these conditions, organizations with devices in such a configuration should treat the vulnerability as a high‑priority risk, as exploitation can result in device takeover and broader network compromise.

Generated by OpenCVE AI on June 10, 2026 at 19:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade all affected Archer routers to the latest firmware versions available from the TP‑Link support site, ensuring the VPN module patch is applied.
  • Restrict VPN client configuration file creation to trusted administrators and validate that the router’s firmware rejects disallowed characters; as an interim measure, disable the VPN service if it is not required.
  • Implement network segmentation to limit the exposure of the gateway to potential local attackers, and consider additional host‑based firewall rules to block unexpected traffic from unknown VPN clients.

Generated by OpenCVE AI on June 10, 2026 at 19:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description An OS command injection vulnerability exists in the VPN module of TP-Link Archer AX12 v1, AX17 v1. AX18 v1, and AX1300 v1.6 routers. This vulnerability allows an adjacent, authenticated attacker to execute arbitrary commands on the device by importing a specially crafted VPN client configuration file. The issue stems from improper filtering of special characters.  Successful exploitation of this vulnerability may enable an attacker to gain full control of the affected device, potentially compromising configuration integrity, network security, and service availability.
Title Command Injection Vulnerability in OpenVPN on Multiple TP-Link Archer Routers
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: TPLink

Published:

Updated: 2026-06-10T18:18:16.049Z

Reserved: 2026-05-20T22:32:54.201Z

Link: CVE-2026-9151

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-06-10T18:17:15.637

Modified: 2026-06-10T19:41:25.327

Link: CVE-2026-9151

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T19:45:39Z

Weaknesses