CVE-2026-22222
Published: 02 February 2026
Summary
CVE-2026-22222 is a high-severity OS Command Injection (CWE-78) vulnerability in Tp-Link Archer Be230 Firmware. Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Network Device CLI (T1059.008); ranked at the 23.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents OS command injection (CWE-78) by requiring input validation and error handling at web module entry points exploited in this vulnerability.
Requires timely flaw remediation through firmware updates to version 1.2.4 Build 20251218 rel.70420 or later, eliminating this specific command injection issue.
Limits damage from low-privilege authenticated attackers by enforcing least privilege on web module processes that could execute injected commands.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in router web interface directly enables arbitrary command execution via the network device CLI (T1059.008).
NVD Description
An OS Command Injection vulnerability in TP-Link Archer BE230 v1.2(web modules) allows adjacent authenticated attacker to execute arbitrary code. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity,…
more
network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID.This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420.
Deeper analysisAI
CVE-2026-22222 is an OS command injection vulnerability (CWE-78) present in the web modules of the TP-Link Archer BE230 v1.2 router. It affects versions prior to 1.2.4 Build 20251218 rel.70420. This issue represents one of multiple distinct OS command injection vulnerabilities identified across separate code paths in the device, with each tracked under a unique CVE ID.
An adjacent authenticated attacker with low privileges can exploit this vulnerability to execute arbitrary OS commands. Successful exploitation enables the attacker to gain full administrative control of the device, leading to severe compromise of configuration integrity, network security, and service availability. The CVSS v3.1 base score is 8.0 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
TP-Link advisories recommend updating to firmware version 1.2.4 Build 20251218 rel.70420 or later, available via regional support download pages such as https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware and equivalents for other regions. Further mitigation details are provided in the support FAQ at https://www.tp-link.com/us/support/faq/4935/.
Details
- CWE(s)