CVE-2026-22223 – An OS command injection vulnerability in TP-Lin... (How to Fix)

Q: How do I fix CVE-2026-22223?

1. Download firmware from TP-Link support page. 2. Log into router admin interface. 3. Navigate to System Tools > Firmware Upgrade. 4. Upload the firmware file. 5. Wait for automatic reboot.

Q: What is the severity of CVE-2026-22223?

CVE-2026-22223 has a CVSS score of 8.0 (HIGH). An OS command injection vulnerability in TP-Link Archer BE230 routers allows adjacent authenticated attackers to execute arbitrary commands. This could lead to complete device compromise, affecting configuration integrity and network security. Only Archer BE230 v1.2 routers with firmware versions below 1.2.4 Build 20251218 are affected.

📋 TL;DR

An OS command injection vulnerability in TP-Link Archer BE230 routers allows adjacent authenticated attackers to execute arbitrary commands. This could lead to complete device compromise, affecting configuration integrity and network security. Only Archer BE230 v1.2 routers with firmware versions below 1.2.4 Build 20251218 are affected.

💻 Affected Systems

Products:

TP-Link Archer BE230

Versions: v1.2 < 1.2.4 Build 20251218 rel.70420

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Requires adjacent network access and authentication. Affects VPN modules specifically.

📦 What is this software?

Archer Be230 Firmware by Tp Link

View all CVEs affecting Archer Be230 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains full administrative control of the router, enabling network traffic interception, device reconfiguration, lateral movement to connected devices, and persistent backdoor installation.

🟠

Likely Case

Attacker modifies router settings, redirects DNS, intercepts traffic, or uses the router as a pivot point for attacking other network devices.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the router itself without compromising the broader network.

🌐 Internet-Facing: LOW

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires adjacent network access and authentication credentials. Part of multiple similar command injection issues across different code paths.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.4 Build 20251218 rel.70420 or later

Vendor Advisory: https://www.tp-link.com/us/support/faq/4935/

Restart Required: Yes

Instructions:

1. Download firmware from TP-Link support page. 2. Log into router admin interface. 3. Navigate to System Tools > Firmware Upgrade. 4. Upload the firmware file. 5. Wait for automatic reboot.

🔧 Temporary Workarounds

Disable VPN modules

all

If VPN functionality is not required, disable VPN modules to remove the vulnerable attack surface.

Network segmentation

all

Isolate the router on a separate VLAN to limit adjacent network access.

🧯 If You Can't Patch

Implement strict network access controls to limit who can access the router's management interface
Change default credentials and implement strong authentication mechanisms

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router admin interface under System Tools > Firmware Upgrade. If version is below 1.2.4 Build 20251218, device is vulnerable.

Check Version:

Check router web interface or use nmap with appropriate scripts to identify firmware version

Verify Fix Applied:

After firmware update, verify version shows 1.2.4 Build 20251218 rel.70420 or higher in the same location.

📡 Detection & Monitoring

Log Indicators:

Unusual VPN module activity
Multiple failed authentication attempts followed by successful login
Unexpected configuration changes

Network Indicators:

Unusual outbound connections from router
DNS redirection patterns
VPN tunnel anomalies

SIEM Query:

source="router_logs" AND (event_type="configuration_change" OR event_type="vpn_module_activity")

📊 Metadata

CVE ID: CVE-2026-22223

CVSS v3 Score: 8.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

EPSS Score: 0.09% exploit probability (25.5th percentile)

Published: February 2, 2026

Last Updated: February 6, 2026

🔗 References

https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware Product
https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware Product
https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware Product
https://www.tp-link.com/us/support/faq/4935/ Vendor Advisory,Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-22223, you might also want to check these: