CVE-2026-0630 – An authenticated OS command injection vulnerabi... (How to Fix)

Q: What is the severity of CVE-2026-0630?

CVE-2026-0630 has a CVSS score of 8.0 (HIGH). An authenticated OS command injection vulnerability in TP-Link Archer BE230 routers allows attackers on the same network to execute arbitrary commands with administrative privileges. This affects Archer BE230 v1.2 routers running firmware versions before 1.2.4 Build 20251218 rel.70420. Successful exploitation gives attackers full control of the router.

📋 TL;DR

An authenticated OS command injection vulnerability in TP-Link Archer BE230 routers allows attackers on the same network to execute arbitrary commands with administrative privileges. This affects Archer BE230 v1.2 routers running firmware versions before 1.2.4 Build 20251218 rel.70420. Successful exploitation gives attackers full control of the router.

💻 Affected Systems

Products:

TP-Link Archer BE230

Versions: v1.2 firmware versions before 1.2.4 Build 20251218 rel.70420

Operating Systems: Router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Requires adjacent network access and authentication. Affects web management interface modules.

📦 What is this software?

Archer Be230 Firmware by Tp Link

View all CVEs affecting Archer Be230 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains complete administrative control of the router, enabling network traffic interception, device reconfiguration, installation of persistent malware, and use as a pivot point to attack other network devices.

🟠

Likely Case

Attacker modifies router settings, redirects DNS, intercepts network traffic, or installs malware on the router to maintain persistence and monitor network activity.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the router itself, though it still compromises network security and could serve as a foothold for further attacks.

🌐 Internet-Facing: LOW (The vulnerability requires adjacent network access and authentication, not directly exploitable from the internet unless the router's admin interface is exposed)

🏢 Internal Only: HIGH (Attackers on the same network can exploit this after obtaining valid credentials)

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW (Once authenticated, exploitation is straightforward)

Multiple distinct OS command injection issues exist in this product, each tracked separately. This specific instance requires authentication and adjacent network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.2.4 Build 20251218 rel.70420 or later

Vendor Advisory: https://www.tp-link.com/us/support/faq/4935/

Restart Required: Yes

Instructions:

1. Download firmware from TP-Link support site. 2. Log into router admin interface. 3. Navigate to System Tools > Firmware Upgrade. 4. Upload the firmware file. 5. Wait for upgrade to complete and router to reboot.

🔧 Temporary Workarounds

Restrict Admin Interface Access

all

Limit access to the router's web management interface to specific trusted IP addresses only

Change Default Credentials

all

Ensure strong, unique administrative passwords are set to prevent credential-based attacks

🧯 If You Can't Patch

Segment the router on a dedicated management VLAN separate from user traffic
Implement network monitoring for unusual router configuration changes or unexpected outbound connections

🔍 How to Verify

Check if Vulnerable:

Log into router admin interface, navigate to System Tools > Firmware Upgrade, and check current firmware version

Check Version:

Check router web interface at System Tools > Firmware Upgrade or via SSH if enabled: cat /proc/version

Verify Fix Applied:

After updating, verify firmware version shows 1.2.4 Build 20251218 rel.70420 or later in System Tools > Firmware Upgrade

📡 Detection & Monitoring

Log Indicators:

Unusual configuration changes in router logs
Multiple failed login attempts followed by successful login and configuration changes
Unexpected command execution in system logs

Network Indicators:

Unusual outbound connections from router
DNS redirection or unexpected proxy behavior
Changes to firewall rules or port forwarding

SIEM Query:

source="router_logs" AND (event_type="config_change" OR event_type="command_execution") AND user!="admin"

📊 Metadata

CVE ID: CVE-2026-0630

CVSS v3 Score: 8.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

EPSS Score: 0.09% exploit probability (26.1th percentile)

Published: February 2, 2026

Last Updated: February 6, 2026

🔗 References

https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware Product
https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware Product
https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware Product
https://www.tp-link.com/us/support/faq/4935/ Vendor Advisory,Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-0630, you might also want to check these: