CVE-2026-22221

High

Published: 02 February 2026

Published

02 February 2026

Modified

06 February 2026

KEV Added

—

Patch

—

CVSS Score 8.0 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0009 25.2th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22221 is a high-severity OS Command Injection (CWE-78) vulnerability in Tp-Link Archer Be230 Firmware. Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 25.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents OS command injection vulnerability by validating and sanitizing inputs to the VPN modules before processing.

SI-2 Flaw Remediation good match

prevent

Ensures timely remediation of the specific firmware flaw through patching to version 1.2.4 Build 20251218 rel.70420 or later.

AC-6 Least Privilege partial match

prevent

Limits damage from successful command injection and privilege escalation by enforcing least privilege on VPN module processes.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

OS command injection in authenticated VPN service allows low-priv adjacent attacker to escalate to full admin (T1068) via exploitation of the device's remote management/VPN service (T1210).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

An OS Command Injection vulnerability in TP-Link Archer BE230 v1.2(vpn modules) allows adjacent authenticated attacker execute arbitrary code. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network…

security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID.This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420.

Deeper analysisAI

CVE-2026-22221 is an OS command injection vulnerability (CWE-78) affecting the VPN modules in TP-Link Archer BE230 v1.2 firmware versions prior to 1.2.4 Build 20251218 rel.70420. This issue represents one of multiple distinct OS command injection flaws identified across separate code paths in the device, with each tracked under a unique CVE ID. The vulnerability has a CVSS v3.1 base score of 8.0 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.

An adjacent, low-privileged authenticated attacker can exploit this vulnerability to execute arbitrary operating system commands on the device. Successful exploitation grants full administrative control, enabling severe compromise of the device's configuration integrity, network security, and service availability.

TP-Link advisories recommend mitigation through firmware updates, with patches available via download pages for the Archer BE230 v1.20 on regional support sites, including the US, global, and Singapore variants. A related FAQ provides additional guidance on the update process.

Details

CWE(s): CWE-78

Affected Products

tp-link

archer be230 firmware

≤ 1.2.4

CVEs Like This One

CVE-2026-22229Same product: Tp-Link Archer Be230

CVE-2026-0631Same product: Tp-Link Archer Be230

CVE-2026-22223Same product: Tp-Link Archer Be230

CVE-2026-22224Same product: Tp-Link Archer Be230

CVE-2026-22227Same product: Tp-Link Archer Be230

CVE-2026-22222Same product: Tp-Link Archer Be230

CVE-2026-22226Same product: Tp-Link Archer Be230

CVE-2026-0630Same product: Tp-Link Archer Be230

CVE-2026-22225Same product: Tp-Link Archer Be230

CVE-2026-30815Same vendor: Tp-Link

References

https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware
Product · f23511db-6c3e-4e32-a477-6aa17d310630
https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware
Product · f23511db-6c3e-4e32-a477-6aa17d310630
https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware
Product · f23511db-6c3e-4e32-a477-6aa17d310630
https://www.tp-link.com/us/support/faq/4935/
Vendor Advisory, Patch · f23511db-6c3e-4e32-a477-6aa17d310630