CVE-2026-22228 – An authenticated high-privilege user can cause ... (How to Fix)

Q: How do I fix CVE-2026-22228?

1. Download latest firmware from TP-Link support site. 2. Log into router admin interface. 3. Navigate to System Tools > Firmware Upgrade. 4. Upload and install the new firmware. 5. Router will reboot automatically.

Q: What is the severity of CVE-2026-22228?

CVE-2026-22228 has a CVSS score of 4.9 (MEDIUM). An authenticated high-privilege user can cause a denial-of-service condition in TP-Link Archer BE230 routers by restoring a crafted configuration file with an excessively long parameter. This causes the device to become unresponsive until rebooted. Only TP-Link Archer BE230 v1.2 devices running firmware versions before 1.2.4 Build 20251218 rel.70420 are affected.

📋 TL;DR

An authenticated high-privilege user can cause a denial-of-service condition in TP-Link Archer BE230 routers by restoring a crafted configuration file with an excessively long parameter. This causes the device to become unresponsive until rebooted. Only TP-Link Archer BE230 v1.2 devices running firmware versions before 1.2.4 Build 20251218 rel.70420 are affected.

💻 Affected Systems

Products:

TP-Link Archer BE230

Versions: v1.2 < 1.2.4 Build 20251218 rel.70420

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects v1.2 hardware revision. Requires authenticated user with configuration restore privileges.

📦 What is this software?

Archer Be230 Firmware by Tp Link

View all CVEs affecting Archer Be230 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious insider or compromised admin account could repeatedly trigger DoS, causing extended network downtime and requiring physical access to reboot devices.

🟠

Likely Case

Accidental or intentional DoS by authorized users with configuration restore privileges, causing temporary service disruption until manual reboot.

🟢

If Mitigated

Limited to authorized users with configuration restore access, causing temporary disruption that requires physical intervention to resolve.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access with configuration restore privileges. Crafting malicious config file is straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.4 Build 20251218 rel.70420 or later

Vendor Advisory: https://www.tp-link.com/us/support/faq/4941/

Restart Required: Yes

Instructions:

1. Download latest firmware from TP-Link support site. 2. Log into router admin interface. 3. Navigate to System Tools > Firmware Upgrade. 4. Upload and install the new firmware. 5. Router will reboot automatically.

🔧 Temporary Workarounds

Restrict configuration restore access

all

Limit configuration restore functionality to only essential administrative accounts and monitor usage.

Disable remote admin access

all

Disable remote administration to prevent external exploitation of authenticated access.

🧯 If You Can't Patch

Restrict configuration restore privileges to minimal number of trusted administrators
Implement monitoring for configuration restore events and investigate anomalies

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router admin interface under Status > Firmware Version. If version is earlier than 1.2.4 Build 20251218 rel.70420, device is vulnerable.

Check Version:

No CLI command available. Check via web interface at Status > Firmware Version.

Verify Fix Applied:

After patching, verify firmware version shows 1.2.4 Build 20251218 rel.70420 or later in admin interface.

📡 Detection & Monitoring

Log Indicators:

Configuration restore events followed by device unresponsiveness
Multiple failed login attempts to admin interface

Network Indicators:

Router becoming unresponsive to ping/management requests
Network services dropping after configuration changes

SIEM Query:

Search for events containing 'configuration restore', 'firmware upload', or admin interface access patterns followed by device outage alerts.

📊 Metadata

CVE ID: CVE-2026-22228

CVSS v3 Score: 4.9 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

EPSS Score: 0.06% exploit probability (18.6th percentile)

Published: February 3, 2026

Last Updated: February 13, 2026

🔗 References

https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware Product
https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware Product
https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware Product
https://www.tp-link.com/us/support/faq/4941/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-22228, you might also want to check these: