TP-LINK has disclosed authenticated command injection vulnerabilities in its Archer BE230 Wi‑Fi 7 router (version 1.2), prompting a firmware update that TP-Link urges users to apply immediately. The flaws are tracked under a cluster of CVEs including CVE-2026-0630, CVE-2026-0631, CVE-2026-22221 through CVE-2026-22227, and CVE-2026-22229, with a CVSS v4.0 score of 8.5 for most IDs and 8.6 for CVE-2026-22229, which relates to importing crafted configuration files.
According to the TP-Link Security Advisory, multiple authenticated OS command injection vulnerabilities span across Web, VPN, Cloud Communication, VPN Connection Service, VPN Server Configuration, Configuration Backup Restoration, and Import of Crafted Configuration File functionalities, each representing a distinct injection path.
If an attacker compromises administrative credentials, they can escalate to full administrative control of the device, enabling eavesdropping, redirection of users, or use as a launchpad for further attacks. The article notes that the flaws require authentication but emphasises the potential impact, and advises updating firmware and strengthening management interface passwords while disabling remote management if not needed.