Cyber Resilience

CVE-2026-30818

High

Published: 08 April 2026

Published
08 April 2026
Modified
07 May 2026
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0123 65.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-30818 is a high-severity OS Command Injection (CWE-78) vulnerability in Tp-Link Archer Ax53 Firmware. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 34.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-30818 is an OS command injection vulnerability (CWE-78) in the dnsmasq module of the TP-Link Archer AX53 v1.0 router firmware. The flaw arises from insufficient input validation when processing a specially crafted configuration file, enabling arbitrary code execution. It affects AX53 v1.0 firmware versions prior to 1.7.1 Build 20260213 and carries a CVSS v3.1 base score of 8.0 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An authenticated adjacent attacker can exploit this vulnerability by supplying a malicious configuration file to the dnsmasq module. Successful exploitation allows execution of arbitrary operating system commands, potentially enabling the attacker to modify device configurations, access sensitive information, or further compromise the system's integrity.

Mitigation is available through a firmware update to version 1.7.1 Build 20260213 or later, which TP-Link has released for the Archer AX53 v1.0 on their support download pages for various regions. Additional details are provided in the Talos Intelligence vulnerability report and TP-Link's FAQ on securing routers. Security practitioners should verify and apply the patch promptly, especially for devices on adjacent networks.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An OS command injection vulnerability in the dnsmasq module of TP-Link Archer AX53 v1.0 allows an authenticated adjacent attacker to execute arbitrary code when a specially crafted configuration file is processed due to insufficient input validation. Successful exploitation may allow…

more

the attacker to modify device configuration, access sensitive information, or further compromise system integrity. This issue affects AX53 v1.0: before 1.7.1 Build 20260213.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

OS command injection in network device firmware directly enables RCE via Unix shell (T1059.004) after exploitation of the exposed service (T1190).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-30815Same product: Tp-Link Archer Ax53
CVE-2025-15608Same product: Tp-Link Archer Ax53
CVE-2025-61944Same product: Tp-Link Archer Ax53
CVE-2025-15607Same product: Tp-Link Archer Ax53
CVE-2026-30814Same product: Tp-Link Archer Ax53
CVE-2025-58077Same product: Tp-Link Archer Ax53
CVE-2025-62404Same product: Tp-Link Archer Ax53
CVE-2026-0630Same vendor: Tp-Link
CVE-2025-9377Same vendor: Tp-Link
CVE-2026-22225Same vendor: Tp-Link

Affected Assets

tp-link
archer ax53 firmware
≤ 1.7.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly addresses the insufficient input validation in dnsmasq configuration file processing that enables OS command injection.

prevent

SI-2 requires timely flaw remediation, such as applying the vendor-released firmware patch to version 1.7.1 Build 20260213 or later.

detect

RA-5 enables vulnerability scanning to identify this specific command injection flaw in router firmware for prompt remediation.

References