Security Advisory on Authenticated Command Injection Vulnerabilities on Archer BE230 (CVE-2026-0630, CVE-2026-0631, CVE-2026-22221-22227, CVE-2026-22229)

Vulnerabilities' Description:

Multiple Authenticated OS command injection vulnerabilities were identified in Archer BE230 v1.2 across the following components:

• Web Modules: CVE-2026-0630 & CVE-2026-22222
• VPN Modules: CVE-2026-0631, CVE-2026-22221, CVE-2026-22223
• Cloud Communication Modules: CVE-2026-22224
• VPN Connection Service: CVE-2026-22225
• VPN Server Configuration Module: CVE-2026-22226
• Configuration Backup Restoration Function: CVE-2026-22227
• Import of Crafted Configuration File: CVE-2026-22229

Each CVE represents a distinct OS command injection issue in a separate code path, and is therefore tracked under an individual CVE ID.

The CVSS score are identical for the CVE-IDs: CVE-2026-0630, CVE-2026-0631 & CVE-2026-22221 to CVE-2026-22227

CVSS v4.0 Score: 8.5 / High

CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

CVE-2026-22229: Import of Crafted Configuration File

CVSS v4.0 Score: 8.6 / High

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

Impacts:

Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability.

Affected Products/Versions and Fixes:

Recommendations:

We strongly recommend that users with affected devices take the following actions:

1. Download and update to the latest firmware version to fix the vulnerabilities.

US: Download for Archer BE230 | TP-Link

EN: Download for Archer BE230 | TP-Link

SG: Download for Archer BE230 | TP-Link Singapore

Acknowledgements:

We thank jro, caprinuxx and sunshinefactory for reporting these vulnerabilities to us.

Disclaimer:

If you do not take all recommended actions, this vulnerability will remain. TP-Link cannot bear any responsibility for consequences that could have been avoided by following this advisory.