Login Sign Up

CVE-2026-22227

7.2 HIGH
Remote Code Execution

📋 TL;DR

A command injection vulnerability in TP-Link Archer BE230 routers allows authenticated attackers to execute arbitrary OS commands via the configuration backup restoration function. This affects Archer BE230 v1.2 devices running firmware versions below 1.2.4 Build 20251218 rel.70420. Successful exploitation grants full administrative control over the router.

💻 Affected Systems

Products:
  • TP-Link Archer BE230
Versions: v1.2 < 1.2.4 Build 20251218 rel.70420
Operating Systems: Embedded router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Requires admin authentication to exploit via configuration backup restoration function.

📦 What is this software?

Archer Be230 Firmware by Tp Link

View all CVEs affecting Archer Be230 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of router configuration, network traffic interception, lateral movement to connected devices, persistent backdoor installation, and service disruption.

🟠

Likely Case

Unauthorized administrative access leading to network configuration changes, DNS hijacking, credential theft, and potential man-in-the-middle attacks.

🟢

If Mitigated

Limited to authenticated attackers only, with proper network segmentation reducing lateral movement opportunities.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires admin credentials but command injection is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.4 Build 20251218 rel.70420 or later

Vendor Advisory: https://www.tp-link.com/us/support/faq/4935/

Restart Required: Yes

Instructions:

1. Log into router admin interface. 2. Navigate to System Tools > Firmware Upgrade. 3. Download latest firmware from TP-Link support site. 4. Upload and install firmware. 5. Reboot router.

🔧 Temporary Workarounds

Disable remote administration

all

Prevents external access to admin interface

Restrict admin access

all

Limit admin interface access to trusted IP addresses only

🧯 If You Can't Patch

  • Change default admin credentials to strong, unique passwords
  • Disable configuration backup/restore functionality if not needed

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router admin interface under System Tools > Firmware Upgrade

Check Version:

Login to router web interface and navigate to System Tools > Firmware Upgrade

Verify Fix Applied:

Verify firmware version is 1.2.4 Build 20251218 rel.70420 or later

📡 Detection & Monitoring

Log Indicators:

  • Unusual configuration restore attempts
  • Multiple failed login attempts followed by successful admin login
  • Suspicious command execution in system logs

Network Indicators:

  • Unexpected configuration changes
  • DNS settings modification
  • New port forwarding rules

SIEM Query:

source="router_logs" AND (event="configuration_restore" OR event="admin_login")

📊 Metadata

CVE ID: CVE-2026-22227
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
EPSS Score: 0.53% exploit probability (66.5th percentile)
Published: February 2, 2026
Last Updated: February 6, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-22227, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)