Cyber Resilience

CVE-2026-22223

High

Published: 02 February 2026

Published
02 February 2026
Modified
06 February 2026
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0142 69.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-22223 is a high-severity OS Command Injection (CWE-78) vulnerability in Tp-Link Archer Be230 Firmware. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 30.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-22223 is an OS command injection vulnerability (CWE-78) affecting the VPN modules in TP-Link Archer BE230 v1.2 firmware versions prior to 1.2.4 Build 20251218 rel.70420. This issue represents one of multiple distinct OS command injection flaws identified across separate code paths in the device, with each tracked under its own CVE ID. The vulnerability has a CVSS v3.1 base score of 8.0 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for confidentiality, integrity, and availability impacts.

An adjacent, low-privileged authenticated attacker can exploit this vulnerability to execute arbitrary operating system commands on the device. Successful exploitation grants full administrative control, enabling severe compromise of the device's configuration integrity, network security posture, and service availability.

TP-Link advisories recommend updating affected Archer BE230 v1.2 devices to firmware version 1.2.4 Build 20251218 rel.70420 or later, available via regional support download pages such as those for the US, Singapore, and global English sites. Additional guidance is provided in TP-Link's FAQ 4935, which details the vulnerability and firmware upgrade process.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An OS Command Injection vulnerability in TP-Link Archer BE230 v1.2(vpn modules) allows adjacent authenticated attacker execute arbitrary code. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network…

more

security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID.This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

OS command injection (CWE-78) directly enables arbitrary Unix shell command execution on the embedded device OS and facilitates local privilege escalation from low-privileged authenticated access to full administrative control.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22229Same product: Tp-Link Archer Be230
CVE-2026-22227Same product: Tp-Link Archer Be230
CVE-2026-0630Same product: Tp-Link Archer Be230
CVE-2026-22225Same product: Tp-Link Archer Be230
CVE-2026-0631Same product: Tp-Link Archer Be230
CVE-2026-22221Same product: Tp-Link Archer Be230
CVE-2026-22226Same product: Tp-Link Archer Be230
CVE-2026-22224Same product: Tp-Link Archer Be230
CVE-2026-22222Same product: Tp-Link Archer Be230
CVE-2026-3227Same vendor: Tp-Link

Affected Assets

tp-link
archer be230 firmware
≤ 1.2.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents OS command injection by requiring validation of untrusted inputs to VPN modules before processing as system commands.

preventrecover

Mandates timely remediation of the specific command injection flaw through firmware updates to version 1.2.4 or later.

prevent

Limits damage from successful injection by enforcing least privilege on VPN module processes, preventing escalation to full administrative control.

References