CVE-2026-0631

High

Published: 02 February 2026

Published

02 February 2026

Modified

06 February 2026

KEV Added

—

Patch

—

CVSS Score 8.0 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0009 25.2th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-0631 is a high-severity OS Command Injection (CWE-78) vulnerability in Tp-Link Archer Be230 Firmware. Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Network Device CLI (T1059.008); ranked at the 25.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Network Device CLI (T1059.008) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly addresses this CVE by requiring timely identification, reporting, and correction of the OS command injection flaw through recommended firmware updates.

SI-10 Information Input Validation good match

prevent

Prevents OS command injection by validating and sanitizing untrusted inputs to the vulnerable VPN modules.

CM-6 Configuration Settings partial match

prevent

Ensures router firmware configuration settings are maintained at the patched version (1.2.4 Build 20251218 rel.70420 or later) to mitigate this specific vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1059.008 Network Device CLI Execution

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

OS command injection on network device directly enables arbitrary CLI command execution (T1059.008) and facilitates privilege escalation from low-priv auth to full admin control (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An OS Command Injection vulnerability in TP-Link Archer BE230 v1.2(vpn modules) allows an adjacent authenticated attacker to execute arbitrary code. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration…

integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID.This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420.

Deeper analysisAI

CVE-2026-0631 is an OS command injection vulnerability (CWE-78) in the VPN modules of TP-Link Archer BE230 v1.2 routers. It affects versions prior to 1.2.4 Build 20251218 rel.70420 and was published on 2026-02-02 with a CVSS v3.1 base score of 8.0 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). This issue represents one of multiple distinct OS command injection vulnerabilities identified across separate code paths in the device, with each tracked under a unique CVE ID.

An adjacent authenticated attacker with low privileges can exploit this vulnerability to execute arbitrary operating system commands. Successful exploitation enables the attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability.

TP-Link advisories recommend updating affected Archer BE230 v1.2 devices to version 1.2.4 Build 20251218 rel.70420 or later firmware, available for download from regional support pages including https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware, https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware, https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware, and https://www.tp-link.com/us/support/faq/4935/.

Details

CWE(s): CWE-78

Affected Products

tp-link

archer be230 firmware

≤ 1.2.4

CVEs Like This One

CVE-2026-22224Same product: Tp-Link Archer Be230

CVE-2026-22222Same product: Tp-Link Archer Be230

CVE-2026-22221Same product: Tp-Link Archer Be230

CVE-2026-22229Same product: Tp-Link Archer Be230

CVE-2026-22223Same product: Tp-Link Archer Be230

CVE-2026-22227Same product: Tp-Link Archer Be230

CVE-2026-22226Same product: Tp-Link Archer Be230

CVE-2026-0630Same product: Tp-Link Archer Be230

CVE-2026-22225Same product: Tp-Link Archer Be230

CVE-2026-30815Same vendor: Tp-Link

References

https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware
Product · f23511db-6c3e-4e32-a477-6aa17d310630
https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware
Product · f23511db-6c3e-4e32-a477-6aa17d310630
https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware
Product · f23511db-6c3e-4e32-a477-6aa17d310630
https://www.tp-link.com/us/support/faq/4935/
Vendor Advisory, Patch · f23511db-6c3e-4e32-a477-6aa17d310630