Security Advisory: Unauthenticated Command Injection via DHCP Option Handling in Multiple TP-Link Routers (CVE-2026-11834)

Vulnerability and Impact Description:

CVE-2026-11834

A command injection vulnerability has been identified in the DHCP option processing logic in multiple TP-Link router models, due to insufficient validation of externally supplied DHCP option data. An adjacent attacker may exploit this vulnerability by supplying crafted DHCP responses, potentially resulting in unauthorized command execution during device initialization or provisioning workflows. This typically occurs when the device is in a factory-default or unconfigured state.

Successful exploitation may allow an adjacent, unauthenticated attacker to execute arbitrary commands with elevated privileges, potentially leading to full compromise of the affected device and unauthorized administrative control.

CVSS v4.0 Score: 8.7 / High

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Products/Versions and Fixes:

Recommendations:

We strongly recommend that users with affected devices take the following actions:

1. Update affected devices to the latest firmware version that fixed the vulnerability:

EN: Download for Archer MR200 | TP-Link

Download for Archer MR402 | TP-Link

Download for TL-MR6400 | TP-Link

Download for Archer VR2100 | TP-Link

Download for Archer C20 | TP-Link

US: Download for Archer C20 | TP-Link

Note: Archer MR200, MR402, VR2100, TL-MR400 are not sold in the US.

Disclaimer:

This advisory is provided for informational purposes only and is subject to change without notice. The information is provided “as is” without warranties of any kind. TP-Link recommends that customers promptly apply available firmware updates or implement documented workarounds as provided in this advisory. Devices/systems that are not updated or mitigated as described may remain vulnerable, and TP-Link disclaims any responsibility or liability for any damages or losses arising from a failure to implement such updates.