Several authenticated command injection vulnerabilities affecting TP-Link's well-known Archer BE230 Wi-Fi 7 router (v1.2) have been addressed in a critical security advisory. An authenticated attacker may be able to execute arbitrary system commands and obtain complete administrative control over the device thanks to the vulnerabilities, which are collectively tracked under multiple CVE identifiers. Independent researchers JRO, CaprinuxX, and Sunshinefactory responsibly revealed the problems, and TP-Link formally acknowledged them in an advisory update on February 2, 2026.

Overview of Vulnerabilities Multiple OS command injection vulnerabilities were found by security researchers in various Archer BE230 firmware modules, specifically in version 1.2 (builds prior to 1.2.4 Build 20251218 rel.70420). Every vulnerability results from inadequate input validation in administrative interfaces, where parameters entered by users are used without being properly sanitized.

Numerous web and VPN-related components are impacted by these problems: VPN Modules and Services (CVE-2026-0631, CVE-2026-22221, CVE-2026-22223, CVE-2026-22225, CVE-2026-22226) Web Management Modules (CVE-2026-0630, CVE-2026-22222) Cloud and Configuration Features (CVE-2026-22224, CVE-2026-22227, CVE-2026-22229) A threat actor who has obtained credentials through phishing, brute forcing, or previous compromise could use these vulnerabilities to run arbitrary shell commands on the router's operating system, even though exploitation necessitates administrative authentication. The attack would enable network traffic interception, configuration changes, or total service availability disruption. On the CVSS v4.0 scale, the severity scores range from 8.5 to 8.6 (High), highlighting the possible impact on the device's availability, confidentiality, and integrity as well as the connected network.

Component Affected by CVE ID CVSS v4.0 Score Severity Access Vector CVE-2026-0630 Web Module 8.5 High Adjacent (AV:A) CVE-2026-0631 VPN Module 8.5 High Adjacent (AV:A) CVE-2026-22221 VPN Module 8.5 High Adjacent (AV:A) CVE-2026-22222 Web Module 8.5 High Adjacent (AV:A) CVE-2026-22223 VPN Module 8.5 High Adjacent (AV:A) CVE-2026-22224 Cloud Communication 8.5 VPN Connection Service CVE-2026-22225 High Adjacent (AV:A) 8.5 CVE-2026-22226 VPN High Adjacent (AV:A) Config Backup Restore for Config Module 8.5 High Adjacent (AV:A) CVE-2026-22227 8.5 CVE-2026-22229 High Adjacent (AV:A) Config File Import 8.6 High Network (AV:N) Crafted If an exploit is successful, it could allow attackers to change firmware settings, redirect traffic, and obtain full administrative privileges, jeopardizing the integrity of both the device and the data. In shared home or business settings, this could reveal private information or provide an entry point for more serious network intrusion.

Mitigation: Users are strongly encouraged by TP-Link to update to firmware version 1.2.4, Build 20251218 rel.70420, or later, right away. The official TP-Link support portals offer updated firmware. To lessen the vulnerability to attacks, administrators should also enforce strong router passwords, turn off remote management when not in use, and routinely check firmware updates.