Cyber Resilience

CVE-2026-22225

High

Published: 02 February 2026

Published
02 February 2026
Modified
19 March 2026
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0268 83.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-22225 is a high-severity OS Command Injection (CWE-78) vulnerability in Tp-Link Archer Be230 Firmware. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 16.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-22225 is a command injection vulnerability (CWE-78) in the VPN Connection Service on TP-Link Archer BE230 v1.2 and Archer AXE75 v1.0 routers. It can be exploited after an administrator's authentication and affects Archer BE230 v1.2 firmware versions prior to 1.2.4 Build 20251218 rel.70420, as well as Archer AXE75 v1.0 firmware versions prior to 1.5.3 Build 20260209 rel.71108. This CVE addresses one of multiple distinct OS command injection issues across separate code paths in the affected devices.

The vulnerability requires high privileges (PR:H) but has low attack complexity (AC:L) over the network (AV:N) with no user interaction (UI:N) needed, earning a CVSS v3.1 base score of 7.2 (High) due to high impacts on confidentiality, integrity, and availability in an unchanged scope (S:U). An authenticated administrator, or someone who has obtained admin credentials, can exploit it to execute arbitrary OS commands, potentially gaining full administrative control of the device and severely compromising configuration integrity, network security, and service availability.

TP-Link provides firmware updates as the primary mitigation, available via their support download pages for the Archer BE230 v1.2 (e.g., https://www.tp-link.com/en/support/download/archer-be230/v1/#Firmware and regional variants) and Archer AXE75 v1.0 (e.g., https://www.tp-link.com/en/support/download/archer-axe75/v1/#Firmware). Security practitioners should prioritize updating affected devices to the specified patched firmware versions to prevent exploitation.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A command injection vulnerability may be exploited after the admin's authentication in the VPN Connection Service on the Archer BE230 v1.2 and Archer AXE75 v1.0. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting…

more

in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420 and Archer AXE v1.0 < 1.5.3 Build 20260209 rel. 71108.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection in exposed VPN service directly enables T1190 exploitation of public-facing app and T1059.004 Unix shell command execution on the router.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-0630Same product: Tp-Link Archer Be230
CVE-2026-22227Same product: Tp-Link Archer Be230
CVE-2026-22226Same product: Tp-Link Archer Be230
CVE-2026-22229Same product: Tp-Link Archer Be230
CVE-2026-22223Same product: Tp-Link Archer Be230
CVE-2026-22224Same product: Tp-Link Archer Be230
CVE-2026-22222Same product: Tp-Link Archer Be230
CVE-2026-0631Same product: Tp-Link Archer Be230
CVE-2026-22221Same product: Tp-Link Archer Be230
CVE-2026-30818Same vendor: Tp-Link

Affected Assets

tp-link
archer be230 firmware
≤ 1.2.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of vendor firmware patches that eliminate the command-injection flaw in the VPN Connection Service.

prevent

Mandates validation and sanitization of all inputs to the VPN service, blocking OS command injection attempts even from authenticated administrators.

preventdetect

Requires verification of firmware and software integrity, ensuring only patched, untampered images are loaded on the affected Archer devices.

References