Cyber Resilience

CVE-2026-22226

HighUpdated

Published: 02 February 2026

Published
02 February 2026
Modified
04 June 2026
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0239 81.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-22226 is a high-severity OS Command Injection (CWE-78) vulnerability in Tp-Link Archer Be230 Firmware. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-22226 is a command injection vulnerability (CWE-78) that can be exploited after administrative authentication in the VPN server configuration module of the TP-Link Archer BE230 v1.2 router. It affects versions prior to 1.2.4 Build 20251218 rel.70420. Published on 2026-02-02, this CVE tracks one of multiple distinct OS command injection issues identified across separate code paths in the device firmware, with each instance assigned a unique CVE ID. The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

An authenticated administrator with network access to the device can exploit this vulnerability remotely with low complexity and no user interaction required. Successful exploitation allows the attacker to execute arbitrary OS commands, potentially gaining full administrative control of the router. This results in severe compromise of configuration integrity, network security, and service availability.

TP-Link advisories direct users to download updated firmware for the Archer BE230 v1.20 from regional support pages to mitigate the issue. Additional mitigation details are provided in the manufacturer's support FAQ at https://www.tp-link.com/us/support/faq/4935/.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A command injection vulnerability may be exploited after the admin's authentication in the VPN server configuration module on TP-Link Archer BE230 v1.2 and Archer AX73 v2. Successful exploitation could allow an attacker to gain full administrative control of the device,…

more

resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420 and Archer AX73 v2 < 1.3.1 Build 20260430.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Command injection in public-facing router config module enables T1190 exploitation and arbitrary OS command execution via T1059.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-0630Same product: Tp-Link Archer Be230
CVE-2026-22225Same product: Tp-Link Archer Be230
CVE-2026-22224Same product: Tp-Link Archer Be230
CVE-2026-22222Same product: Tp-Link Archer Be230
CVE-2026-0631Same product: Tp-Link Archer Be230
CVE-2026-22229Same product: Tp-Link Archer Be230
CVE-2026-22221Same product: Tp-Link Archer Be230
CVE-2026-22227Same product: Tp-Link Archer Be230
CVE-2026-22223Same product: Tp-Link Archer Be230
CVE-2026-30818Same vendor: Tp-Link

Affected Assets

tp-link
archer be230 firmware
≤ 1.2.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of inputs in the VPN configuration module to block OS command injection strings.

prevent

Mandates timely application of the vendor firmware patch (v1.2.4 Build 20251218) that eliminates the command-injection flaw.

prevent

Enforces disabling or restricting the VPN server configuration feature when not required, reducing the exposed attack surface.

References