Cyber Resilience

CVE-2026-22227

High

Published: 02 February 2026

Published
02 February 2026
Modified
06 February 2026
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0261 83.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-22227 is a high-severity OS Command Injection (CWE-78) vulnerability in Tp-Link Archer Be230 Firmware. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 16.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-22227 is a command injection vulnerability (CWE-78) in the configuration backup restoration function of the TP-Link Archer BE230 v1.2 router firmware. It affects versions prior to 1.2.4 Build 20251218 rel.70420 and represents one of multiple distinct OS command injection issues across separate code paths in the device, each tracked under a unique CVE ID. The vulnerability has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts.

Exploitation requires an attacker to first authenticate as an administrator (PR:H), after which they can leverage the backup restoration feature over the network (AV:N) with low complexity and no user interaction. Successful exploitation grants full administrative control of the device, enabling severe compromise of configuration integrity, network security, and service availability.

TP-Link advisories recommend updating to firmware version 1.2.4 Build 20251218 rel.70420 or later, available via regional download pages such as those for the US, global, and Singapore sites. Additional guidance is provided in TP-Link's FAQ 4935.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A command injection vulnerability may be exploited after the admin's authentication via the configuration backup restoration function of the TP-Link Archer BE230 v1.2. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe…

more

compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

CWE-78 OS command injection in authenticated backup restore function directly enables arbitrary Unix shell command execution on the router firmware.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-0630Same product: Tp-Link Archer Be230
CVE-2026-22225Same product: Tp-Link Archer Be230
CVE-2026-22229Same product: Tp-Link Archer Be230
CVE-2026-22223Same product: Tp-Link Archer Be230
CVE-2026-22226Same product: Tp-Link Archer Be230
CVE-2026-22224Same product: Tp-Link Archer Be230
CVE-2026-22222Same product: Tp-Link Archer Be230
CVE-2026-0631Same product: Tp-Link Archer Be230
CVE-2026-22221Same product: Tp-Link Archer Be230
CVE-2026-30818Same vendor: Tp-Link

Affected Assets

tp-link
archer be230 firmware
≤ 1.2.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the vendor firmware patch (1.2.4 Build 20251218) that eliminates the command-injection flaw in the backup-restoration code path.

prevent

Mandates validation and sanitization of all input supplied to the configuration backup restoration function, blocking the OS command injection (CWE-78) before it can be executed.

prevent

Enforces access restrictions and authorization checks specifically for configuration-change operations such as backup restoration, limiting the post-authentication attack surface to only trusted administrators.

References