Cyber Resilience

CVE-2026-22224

High

Published: 02 February 2026

Published
02 February 2026
Modified
06 February 2026
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0260 83.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-22224 is a high-severity OS Command Injection (CWE-78) vulnerability in Tp-Link Archer Be230 Firmware. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Network Device CLI (T1059.008); ranked in the top 16.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-22224 is a command injection vulnerability (CWE-78) in the cloud communication interface of the TP-Link Archer BE230 v1.2 router, exploitable after administrator authentication. It affects versions prior to 1.2.4 Build 20251218 rel.70420. Published on 2026-02-02, this CVE addresses one of multiple distinct OS command injection issues identified across separate code paths, with each tracked under a unique CVE ID.

An authenticated administrator with network access can exploit this vulnerability with low complexity, as indicated by its CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). Successful exploitation allows the attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability.

TP-Link advisories direct users to firmware download pages for the Archer BE230 across regions such as the US, Singapore, and others, recommending an update to version 1.2.4 Build 20251218 rel.70420 or later to mitigate the issue. Further details are provided in TP-Link's support FAQ at https://www.tp-link.com/us/support/faq/4935/.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A command injection vulnerability may be exploited after the admin's authentication in the cloud communication interface on the TP-Link Archer BE230 v1.2. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise…

more

of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Why these techniques?

Authenticated command injection on network device directly enables arbitrary OS/CLI command execution via T1059.008.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22222Same product: Tp-Link Archer Be230
CVE-2026-0631Same product: Tp-Link Archer Be230
CVE-2026-22226Same product: Tp-Link Archer Be230
CVE-2026-0630Same product: Tp-Link Archer Be230
CVE-2026-22225Same product: Tp-Link Archer Be230
CVE-2026-22229Same product: Tp-Link Archer Be230
CVE-2026-22221Same product: Tp-Link Archer Be230
CVE-2026-22227Same product: Tp-Link Archer Be230
CVE-2026-22223Same product: Tp-Link Archer Be230
CVE-2025-15518Same vendor: Tp-Link

Affected Assets

tp-link
archer be230 firmware
≤ 1.2.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all inputs to the cloud interface to block OS command injection strings before they reach the shell.

prevent

Mandates prompt application of the vendor firmware update (1.2.4 Build 20251218) that removes the distinct command-injection code paths.

prevent

Restricts the set of privileged operations an authenticated administrator account can perform, limiting the blast radius even if injection succeeds.

References