CVE-2026-0630

High

Published: 02 February 2026

Published

02 February 2026

Modified

19 March 2026

KEV Added

—

Patch

—

CVSS Score 8.0 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0006 19.5th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-0630 is a high-severity OS Command Injection (CWE-78) vulnerability in Tp-Link Archer Be230 Firmware. Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely flaw remediation through firmware updates that directly patch the OS command injection vulnerability in the TP-Link router web modules.

SI-10 Information Input Validation good match

prevent

Mandates validation of untrusted inputs to web modules to prevent OS command injection exploitation by adjacent authenticated attackers.

SI-7 Software, Firmware, and Information Integrity partial match

preventdetect

Verifies integrity of firmware and software to detect unauthorized modifications from command injection and ensure only patched versions execute.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

OS command injection in web interface directly enables exploitation of the application for RCE (T1190) and arbitrary Unix shell command execution (T1059.004) on the Linux-based router.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An OS Command Injection vulnerability in TP-Link Archer BE230 v1.2(web modules) and Archer AXE75 v1.0 allows adjacent authenticated attacker to execute arbitrary code. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe…

compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID.This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420 and Archer AXE v1.0 < 1.5.3 Build 20260209 rel. 71108.

Deeper analysisAI

CVE-2026-0630 is an OS command injection vulnerability (CWE-78) affecting the web modules in TP-Link Archer BE230 v1.2 and Archer AXE75 v1.0 routers. The issue exists in Archer BE230 v1.2 versions prior to 1.2.4 Build 20251218 rel.70420 and Archer AXE75 v1.0 versions prior to 1.5.3 Build 20260209 rel.71108. This CVE tracks one of multiple distinct OS command injection flaws identified across separate code paths in these devices, with each instance assigned a unique CVE ID. The vulnerability has a CVSS v3.1 base score of 8.0 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An adjacent authenticated attacker with low privileges can exploit this vulnerability to execute arbitrary operating system commands on the affected device. Successful exploitation grants full administrative control, enabling severe impacts such as complete compromise of device configuration integrity, network security, and service availability.

TP-Link advisories provide firmware updates as the primary mitigation, available via download pages for the Archer BE230 v1.2 and Archer AXE75 v1.0 models on regional support sites including tp-link.com, tp-link.com/sg, and tp-link.com/us. Security practitioners should verify and apply the specified fixed builds to remediate the issue.

Details

CWE(s): CWE-78

Affected Products

tp-link

archer be230 firmware

≤ 1.2.4

CVEs Like This One

CVE-2026-22225Same product: Tp-Link Archer Be230

CVE-2026-22227Same product: Tp-Link Archer Be230

CVE-2026-22229Same product: Tp-Link Archer Be230

CVE-2026-22226Same product: Tp-Link Archer Be230

CVE-2026-22223Same product: Tp-Link Archer Be230

CVE-2026-22221Same product: Tp-Link Archer Be230

CVE-2026-22224Same product: Tp-Link Archer Be230

CVE-2026-0631Same product: Tp-Link Archer Be230

CVE-2026-22222Same product: Tp-Link Archer Be230

CVE-2024-57357Same vendor: Tp-Link

References

https://www.tp-link.com/en/support/download/archer-axe75/v1/#Firmware
f23511db-6c3e-4e32-a477-6aa17d310630
https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware
Product · f23511db-6c3e-4e32-a477-6aa17d310630
https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware
Product · f23511db-6c3e-4e32-a477-6aa17d310630
https://www.tp-link.com/us/support/download/archer-axe75/v1/#Firmware
f23511db-6c3e-4e32-a477-6aa17d310630
https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware
Product · f23511db-6c3e-4e32-a477-6aa17d310630
https://www.tp-link.com/us/support/faq/4935/
Patch, Vendor Advisory · f23511db-6c3e-4e32-a477-6aa17d310630