CVE-2026-22223
Published: 02 February 2026
Summary
CVE-2026-22223 is a high-severity OS Command Injection (CWE-78) vulnerability in Tp-Link Archer Be230 Firmware. Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 25.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents OS command injection by requiring validation of untrusted inputs to VPN modules before processing as system commands.
Mandates timely remediation of the specific command injection flaw through firmware updates to version 1.2.4 or later.
Limits damage from successful injection by enforcing least privilege on VPN module processes, preventing escalation to full administrative control.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection (CWE-78) directly enables arbitrary Unix shell command execution on the embedded device OS and facilitates local privilege escalation from low-privileged authenticated access to full administrative control.
NVD Description
An OS Command Injection vulnerability in TP-Link Archer BE230 v1.2(vpn modules) allows adjacent authenticated attacker execute arbitrary code. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network…
more
security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID.This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420.
Deeper analysisAI
CVE-2026-22223 is an OS command injection vulnerability (CWE-78) affecting the VPN modules in TP-Link Archer BE230 v1.2 firmware versions prior to 1.2.4 Build 20251218 rel.70420. This issue represents one of multiple distinct OS command injection flaws identified across separate code paths in the device, with each tracked under its own CVE ID. The vulnerability has a CVSS v3.1 base score of 8.0 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for confidentiality, integrity, and availability impacts.
An adjacent, low-privileged authenticated attacker can exploit this vulnerability to execute arbitrary operating system commands on the device. Successful exploitation grants full administrative control, enabling severe compromise of the device's configuration integrity, network security posture, and service availability.
TP-Link advisories recommend updating affected Archer BE230 v1.2 devices to firmware version 1.2.4 Build 20251218 rel.70420 or later, available via regional support download pages such as those for the US, Singapore, and global English sites. Additional guidance is provided in TP-Link's FAQ 4935, which details the vulnerability and firmware upgrade process.
Details
- CWE(s)