CVE-2026-22226
Published: 02 February 2026
Summary
CVE-2026-22226 is a high-severity OS Command Injection (CWE-78) vulnerability in Tp-Link Archer Be230 Firmware. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in public-facing router config module enables T1190 exploitation and arbitrary OS command execution via T1059.
NVD Description
A command injection vulnerability may be exploited after the admin's authentication in the VPN server configuration module on the TP-Link Archer BE230 v1.2. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe…
more
compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420.
Deeper analysisAI
CVE-2026-22226 is a command injection vulnerability (CWE-78) that can be exploited after administrative authentication in the VPN server configuration module of the TP-Link Archer BE230 v1.2 router. It affects versions prior to 1.2.4 Build 20251218 rel.70420. Published on 2026-02-02, this CVE tracks one of multiple distinct OS command injection issues identified across separate code paths in the device firmware, with each instance assigned a unique CVE ID. The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
An authenticated administrator with network access to the device can exploit this vulnerability remotely with low complexity and no user interaction required. Successful exploitation allows the attacker to execute arbitrary OS commands, potentially gaining full administrative control of the router. This results in severe compromise of configuration integrity, network security, and service availability.
TP-Link advisories direct users to download updated firmware for the Archer BE230 v1.20 from regional support pages to mitigate the issue. Additional mitigation details are provided in the manufacturer's support FAQ at https://www.tp-link.com/us/support/faq/4935/.
Details
- CWE(s)