TP-Link has released urgent firmware updates for its Archer BE230 Wi-Fi 7 routers to address multiple high-severity security flaws.
These vulnerabilities could allow authenticated attackers to execute arbitrary operating system (OS) commands, effectively granting them complete administrative control over the device.
The vulnerabilities affect the Archer BE230 v1.2 model running firmware versions before 1.2.4 Build 20251218 rel.70420.
These span various system components, including VPN modules, cloud communication services, and configuration backup functions.
TP-Link OS Command Injection Vulnerability
The core issue across all reported CVEs is OS Command Injection. This type of vulnerability occurs when an application passes unsafe user-supplied data (such as form data, cookies, or HTTP headers) to a system shell.
In this case, an attacker with high privileges (authenticated access) can inject malicious commands that the router executes with root-level permissions.
| CVE ID | Component / Module | CVSS v4.0 Score |
|---|---|---|
| CVE-2026-0630 | Web Modules | 8.5 |
| CVE-2026-22222 | Web Modules | 8.5 |
| CVE-2026-0631 | VPN Modules | 8.5 |
| CVE-2026-22221 | VPN Modules | 8.5 |
| CVE-2026-22223 | VPN Modules | 8.5 |
| CVE-2026-22224 | Cloud Communication Modules | 8.5 |
| CVE-2026-22225 | VPN Connection Service | 8.5 |
| CVE-2026-22226 | VPN Server Config Module | 8.5 |
| CVE-2026-22227 | Config Backup Restoration | 8.5 |
| CVE-2026-22229 | Import of Crafted Config File | 8.6 |
While the attack complexity is low (AC:L), it does require the attacker to have high privileges (PR: H).
However, if an attacker has already compromised a weak admin password or hijacked a session, they can use these exploits to escalate from simple management access to complete control of the underlying operating system.
The following table outlines the specific CVEs assigned to these flaws. Note that while they share similar impacts, they represent distinct code paths.
Successful exploitation allows an attacker to manipulate the router’s configuration, intercept network traffic, disrupt services, or use the device as a pivot point to attack other devices on the network.
TP-Link has released a patched firmware version to mitigate these threats. Network administrators and users are strongly advised to update their devices immediately.
Users can download the latest firmware directly from the official TP-Link support pages for their respective regions (US, EN, or SG). Failure to apply these updates leaves the network infrastructure exposed to potential compromise.
