Login Sign Up

CVE-2026-22224

7.2 HIGH
Remote Code Execution

📋 TL;DR

This CVE describes an authenticated command injection vulnerability in TP-Link Archer BE230 routers. Attackers with admin access can execute arbitrary OS commands, potentially gaining full administrative control of the device. Only Archer BE230 v1.2 routers with firmware older than 1.2.4 Build 20251218 are affected.

💻 Affected Systems

Products:
  • TP-Link Archer BE230
Versions: v1.2 < 1.2.4 Build 20251218 rel.70420
Operating Systems: Router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Requires admin authentication to exploit. Cloud communication interface is the vulnerable component.

📦 What is this software?

Archer Be230 Firmware by Tp Link

View all CVEs affecting Archer Be230 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attacker to reconfigure network settings, intercept traffic, install persistent malware, and use the device as a pivot point into the internal network.

🟠

Likely Case

Attacker with stolen or compromised admin credentials gains full router control, enabling traffic monitoring, DNS hijacking, and network disruption.

🟢

If Mitigated

With strong admin passwords and network segmentation, impact is limited to the router itself rather than the entire network.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires admin credentials but command injection is typically straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.4 Build 20251218 rel.70420 or later

Vendor Advisory: https://www.tp-link.com/us/support/faq/4935/

Restart Required: Yes

Instructions:

1. Visit TP-Link support page for Archer BE230 v1.2. 2. Download firmware version 1.2.4 or later. 3. Log into router admin interface. 4. Navigate to System Tools > Firmware Upgrade. 5. Upload and install the new firmware. 6. Wait for router to reboot automatically.

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external access to admin interface

Change Admin Credentials

all

Use strong, unique admin password to reduce credential theft risk

🧯 If You Can't Patch

  • Isolate router on separate VLAN to limit lateral movement
  • Implement network monitoring for unusual router configuration changes

🔍 How to Verify

Check if Vulnerable:

Log into router admin interface and check firmware version under System Tools > Firmware Upgrade

Check Version:

Check router web interface or use nmap -sV to identify firmware version

Verify Fix Applied:

Confirm firmware version is 1.2.4 Build 20251218 rel.70420 or higher

📡 Detection & Monitoring

Log Indicators:

  • Unusual admin login attempts
  • Unexpected firmware or configuration changes
  • Suspicious command execution in system logs

Network Indicators:

  • Unusual outbound connections from router
  • DNS configuration changes
  • Unexpected port openings

SIEM Query:

source="router_logs" AND (event="admin_login" OR event="config_change") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2026-22224
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
EPSS Score: 0.53% exploit probability (66.5th percentile)
Published: February 2, 2026
Last Updated: February 6, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-22224, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)