Rooted via Wi-Fi 7: TP-Link Patches Command Injection in Archer BE230

A new security advisory from TP-Link has disclosed multiple authenticated command injection vulnerabilities affecting its Archer BE230 Wi-Fi 7 router, specifically version 1.2.

The vulnerabilities, tracked under a cluster of CVE IDs including CVE-2026-0630, CVE-2026-0631, CVE-2026-22221 through CVE-2026-22227, and CVE-2026-22229, allow attackers to execute arbitrary operating system commands. While the flaws require authentication, the impact is severe: a successful exploit grants total control over the device.

What makes this advisory notable is the sheer breadth of affected components. The flaws aren’t isolated to a single obscure feature; they span across critical router functions.

“Multiple Authenticated OS command injection vulnerabilities were identified in Archer BE230 v1.2 across the following components: Web Modules… VPN Modules… Cloud Communication Modules… VPN Connection Service… VPN Server Configuration Module… Configuration Backup Restoration Function… Import of Crafted Configuration File.” — TP-Link Security Advisory

Each vulnerability represents a distinct path for injection, meaning an attacker has multiple potential avenues to exploit the system depending on which features are enabled or accessible.

The vulnerabilities carry a CVSS v4.0 score of 8.5 (High) for most of the IDs, with CVE-2026-22229 (related to importing crafted configuration files) scoring slightly higher at 8.6.

If an attacker compromises the router’s administrative credentials—perhaps through phishing, credential stuffing, or default password usage—they can leverage these injection points to escalate their access from “admin” to “root.”

“Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability.” — TP-Link Security Advisory

Once in control, an attacker could eavesdrop on network traffic, redirect users to malicious sites, or use the router as a launchpad for attacks on other devices within the network.

TP-Link is urging users of the Archer BE230 (v1.2) to update their firmware immediately. Given the authenticated nature of these flaws, administrators should also ensure they are using strong, unique passwords for the router’s management interface and disable remote management if it is not strictly necessary.

Related Posts:

• Router Takeover: High-Severity Command Injection Flaw Hits TP-Link Archer MR600
• TP-Link Archer C50 (EOL) Exposed: Hardcoded DES Key Allows Sensitive Config Decryption (CVE-2025-6982)
• PoC Available: TP-Link Archer AX50 Flaw Allows Remote Root Access
• CISA Flags Two Actively Exploited Vulnerabilities: TP-Link Router Reset Flaw and WhatsApp Zero-Day Chain
• CISA Warns: Actively Exploited TP-Link Router Flaws Added to KEV Catalog