CVE-2026-22221 – An OS command injection vulnerability in TP-Lin... (How to Fix)

Q: How do I fix CVE-2026-22221?

1. Download firmware v1.2.4 or later from TP-Link support site. 2. Log into router admin interface. 3. Navigate to System Tools > Firmware Upgrade. 4. Upload the firmware file. 5. Wait for upgrade to complete and router to reboot.

Q: What is the severity of CVE-2026-22221?

CVE-2026-22221 has a CVSS score of 8.0 (HIGH). An OS command injection vulnerability in TP-Link Archer BE230 routers allows adjacent authenticated attackers to execute arbitrary commands. This could lead to full administrative control of the device, compromising network security and service availability. The vulnerability affects Archer BE230 v1.2 firmware versions before 1.2.4 Build 20251218 rel.70420.

📋 TL;DR

An OS command injection vulnerability in TP-Link Archer BE230 routers allows adjacent authenticated attackers to execute arbitrary commands. This could lead to full administrative control of the device, compromising network security and service availability. The vulnerability affects Archer BE230 v1.2 firmware versions before 1.2.4 Build 20251218 rel.70420.

💻 Affected Systems

Products:

TP-Link Archer BE230

Versions: v1.2 < 1.2.4 Build 20251218 rel.70420

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Requires adjacent network access and authentication. Affects VPN modules specifically.

📦 What is this software?

Archer Be230 Firmware by Tp Link

View all CVEs affecting Archer Be230 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains full administrative control of the router, can reconfigure network settings, intercept traffic, install persistent malware, and use the device as a pivot point to attack other network devices.

🟠

Likely Case

Attacker with adjacent network access and valid credentials executes commands to modify router configuration, disrupt network services, or steal sensitive information passing through the router.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the isolated network segment containing the vulnerable device.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires adjacent network access and valid credentials. Multiple similar command injection issues exist in different code paths.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.2.4 Build 20251218 rel.70420 or later

Vendor Advisory: https://www.tp-link.com/us/support/faq/4935/

Restart Required: Yes

Instructions:

1. Download firmware v1.2.4 or later from TP-Link support site. 2. Log into router admin interface. 3. Navigate to System Tools > Firmware Upgrade. 4. Upload the firmware file. 5. Wait for upgrade to complete and router to reboot.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate the vulnerable router from critical network segments to limit potential lateral movement.

Access Control Restrictions

all

Restrict administrative access to the router to specific trusted IP addresses only.

🧯 If You Can't Patch

Segment the router on an isolated VLAN with strict firewall rules
Disable VPN functionality if not required for business operations

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface under System Tools > Firmware Upgrade or Status page.

Check Version:

Log into router web interface and navigate to Status or System Information page

Verify Fix Applied:

Verify firmware version shows v1.2.4 Build 20251218 rel.70420 or later after upgrade.

📡 Detection & Monitoring

Log Indicators:

Unusual command execution in system logs
Multiple failed authentication attempts followed by successful login
Unexpected configuration changes

Network Indicators:

Unusual outbound connections from router
Traffic patterns inconsistent with normal router operation
VPN connection anomalies

SIEM Query:

source="router_logs" AND (command="*;*" OR command="*|*" OR command="*`*" OR command="*$(*")

📊 Metadata

CVE ID: CVE-2026-22221

CVSS v3 Score: 8.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

EPSS Score: 0.09% exploit probability (25.5th percentile)

Published: February 2, 2026

Last Updated: February 6, 2026

🔗 References

https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware Product
https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware Product
https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware Product
https://www.tp-link.com/us/support/faq/4935/ Vendor Advisory,Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-22221, you might also want to check these: