CVE-2026-22225

HighRCE

Published: 02 February 2026

Published

02 February 2026

Modified

19 March 2026

KEV Added

—

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0047 64.9th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22225 is a high-severity OS Command Injection (CWE-78) vulnerability in Tp-Link Archer Be230 Firmware. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SC-27 Platform-independent Applications

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

SI-10 Information Input Validation

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Command injection in exposed VPN service directly enables T1190 exploitation of public-facing app and T1059.004 Unix shell command execution on the router.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A command injection vulnerability may be exploited after the admin's authentication in the VPN Connection Service on the Archer BE230 v1.2 and Archer AXE75 v1.0. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting…

in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420 and Archer AXE v1.0 < 1.5.3 Build 20260209 rel. 71108.

Deeper analysisAI

CVE-2026-22225 is a command injection vulnerability (CWE-78) in the VPN Connection Service on TP-Link Archer BE230 v1.2 and Archer AXE75 v1.0 routers. It can be exploited after an administrator's authentication and affects Archer BE230 v1.2 firmware versions prior to 1.2.4 Build 20251218 rel.70420, as well as Archer AXE75 v1.0 firmware versions prior to 1.5.3 Build 20260209 rel.71108. This CVE addresses one of multiple distinct OS command injection issues across separate code paths in the affected devices.

The vulnerability requires high privileges (PR:H) but has low attack complexity (AC:L) over the network (AV:N) with no user interaction (UI:N) needed, earning a CVSS v3.1 base score of 7.2 (High) due to high impacts on confidentiality, integrity, and availability in an unchanged scope (S:U). An authenticated administrator, or someone who has obtained admin credentials, can exploit it to execute arbitrary OS commands, potentially gaining full administrative control of the device and severely compromising configuration integrity, network security, and service availability.

TP-Link provides firmware updates as the primary mitigation, available via their support download pages for the Archer BE230 v1.2 (e.g., https://www.tp-link.com/en/support/download/archer-be230/v1/#Firmware and regional variants) and Archer AXE75 v1.0 (e.g., https://www.tp-link.com/en/support/download/archer-axe75/v1/#Firmware). Security practitioners should prioritize updating affected devices to the specified patched firmware versions to prevent exploitation.

Details

CWE(s): CWE-78

Affected Products

tp-link

archer be230 firmware

≤ 1.2.4

CVEs Like This One

CVE-2026-0630Same product: Tp-Link Archer Be230

CVE-2026-22227Same product: Tp-Link Archer Be230

CVE-2026-22229Same product: Tp-Link Archer Be230

CVE-2026-22226Same product: Tp-Link Archer Be230

CVE-2026-22223Same product: Tp-Link Archer Be230

CVE-2026-22221Same product: Tp-Link Archer Be230

CVE-2026-22224Same product: Tp-Link Archer Be230

CVE-2026-0631Same product: Tp-Link Archer Be230

CVE-2026-22222Same product: Tp-Link Archer Be230

CVE-2024-57357Same vendor: Tp-Link

References

https://www.tp-link.com/en/support/download/archer-axe75/v1/#Firmware
f23511db-6c3e-4e32-a477-6aa17d310630
https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware
Product · f23511db-6c3e-4e32-a477-6aa17d310630
https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware
Product · f23511db-6c3e-4e32-a477-6aa17d310630
https://www.tp-link.com/us/support/download/archer-axe75/v1/#Firmware
f23511db-6c3e-4e32-a477-6aa17d310630
https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware
Product · f23511db-6c3e-4e32-a477-6aa17d310630
https://www.tp-link.com/us/support/faq/4935/
Patch, Vendor Advisory · f23511db-6c3e-4e32-a477-6aa17d310630