Cyber Resilience

CVE-2026-22221

High

Published: 02 February 2026

Published
02 February 2026
Modified
06 February 2026
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0129 66.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-22221 is a high-severity OS Command Injection (CWE-78) vulnerability in Tp-Link Archer Be230 Firmware. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 33.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-22221 is an OS command injection vulnerability (CWE-78) affecting the VPN modules in TP-Link Archer BE230 v1.2 firmware versions prior to 1.2.4 Build 20251218 rel.70420. This issue represents one of multiple distinct OS command injection flaws identified across separate code paths in the device, with each tracked under a unique CVE ID. The vulnerability has a CVSS v3.1 base score of 8.0 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.

An adjacent, low-privileged authenticated attacker can exploit this vulnerability to execute arbitrary operating system commands on the device. Successful exploitation grants full administrative control, enabling severe compromise of the device's configuration integrity, network security, and service availability.

TP-Link advisories recommend mitigation through firmware updates, with patches available via download pages for the Archer BE230 v1.20 on regional support sites, including the US, global, and Singapore variants. A related FAQ provides additional guidance on the update process.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An OS Command Injection vulnerability in TP-Link Archer BE230 v1.2(vpn modules) allows adjacent authenticated attacker execute arbitrary code. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network…

more

security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID.This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

OS command injection in authenticated VPN service allows low-priv adjacent attacker to escalate to full admin (T1068) via exploitation of the device's remote management/VPN service (T1210).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-0631Same product: Tp-Link Archer Be230
CVE-2026-22229Same product: Tp-Link Archer Be230
CVE-2026-22223Same product: Tp-Link Archer Be230
CVE-2026-22226Same product: Tp-Link Archer Be230
CVE-2026-0630Same product: Tp-Link Archer Be230
CVE-2026-22225Same product: Tp-Link Archer Be230
CVE-2026-22224Same product: Tp-Link Archer Be230
CVE-2026-22222Same product: Tp-Link Archer Be230
CVE-2026-22227Same product: Tp-Link Archer Be230
CVE-2026-3841Same vendor: Tp-Link

Affected Assets

tp-link
archer be230 firmware
≤ 1.2.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents OS command injection vulnerability by validating and sanitizing inputs to the VPN modules before processing.

prevent

Ensures timely remediation of the specific firmware flaw through patching to version 1.2.4 Build 20251218 rel.70420 or later.

prevent

Limits damage from successful command injection and privilege escalation by enforcing least privilege on VPN module processes.

References