CVE-2026-22229
Published: 02 February 2026
Summary
CVE-2026-22229 is a high-severity OS Command Injection (CWE-78) vulnerability in Tp-Link Archer Be230 Firmware. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 28.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authenticated command injection (CWE-78) via crafted config import on network device firmware directly enables OS command execution (Unix shell) and exploitation for privilege escalation from web admin to full device control.
NVD Description
A command injection vulnerability may be exploited after the admin's authentication via the import of a crafted VPN client configuration file on the TP-Link Archer BE230 v1.2 and Deco BE25 v1.0. Successful exploitation could allow an attacker to gain full…
more
administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420 and Deco BE25 v1.0: through 1.1.1 Build 20250822.
Deeper analysisAI
CVE-2026-22229 is a command injection vulnerability (CWE-78) that can be exploited after an administrator authenticates by importing a crafted VPN client configuration file on TP-Link Archer BE230 v1.2 devices prior to firmware version 1.2.4 Build 20251218 rel.70420 and Deco BE25 v1.0 devices through firmware version 1.1.1 Build 20250822. This issue represents one of multiple distinct OS command injection vulnerabilities identified across separate code paths in the devices' firmware, with each tracked under a unique CVE ID. The vulnerability has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts.
Exploitation requires network access and administrative privileges (PR:H), but has low attack complexity and no user interaction beyond the admin's authentication to import the malicious file. A successful attacker can execute arbitrary OS commands, gaining full administrative control of the device. This leads to severe compromise, including alteration of device configurations, disruption of network security, and denial of service affecting availability.
TP-Link advisories provide firmware updates as the primary mitigation, available via download pages for Archer BE230 v1.20 and Deco BE25 across regional support sites (e.g., US, global, Singapore). Security practitioners should verify and apply the specified fixed builds—1.2.4 Build 20251218 rel.70420 for Archer BE230 v1.2 and beyond 1.1.1 Build 20250822 for Deco BE25 v1.0—to remediate the vulnerability.
Details
- CWE(s)