Do Son 
- CVE: CVE-2026-11834
- CVSS: 8.7 (High · CVSSv4)
- Product: TP-Link Systems Inc. Archer MR200 v07
- Affected: < 1.3.0 Build 250605, < 1.5.0 Build 260605, < EU_V1_260330, < EU_V5_260317, < US_V5_260419, < V6_260608 (+1 more)
- Impact: Unauthenticated Command Injection via DHCP Option Handling in Multiple TP-Link Routers
- Status: No confirmed exploitation yet
- Patched in: 1.3.0 Build 250605, 1.5.0 Build 260605, EU_V1_260330, EU_V5_260317 (+3 more)
- EPSS: 0.4% (30-day)
- Action: Update to 1.3.0 Build 250605, 1.5.0 Build 260605, EU_V1_260330, EU_V5_260317 (+3 more) now
TP-Link recently published a high-severity security advisory regarding CVE-2026-11834. Therefore, multiple TP-Link routers face a severe TP-Link router command injection vulnerability. This CVSS 8.7 flaw allows unauthenticated remote code execution on the local network. Currently, no active exploitation in the wild has been confirmed. Additionally, no public proof-of-concept exists for this specific flaw yet.
Why This Vulnerability Matters
This DHCP option vulnerability poses a significant risk to residential and business networks. First, the flaw commonly affects devices in a factory-default state. Thus, newly installed routers remain highly vulnerable before their initial configuration finishes. An adjacent attacker could gain unauthorized administrative control over the hardware. Consequently, they could entirely compromise the affected device. “Successful exploitation may allow an adjacent, unauthenticated attacker to execute arbitrary commands with elevated privileges,” TP-Link warned. This leads to total system takeover without requiring any user interaction.
How the Attack Works
The core mechanism involves improper validation during DHCP option processing. Specifically, the router fails to sanitize externally supplied DHCP option data. Next, an attacker supplies crafted DHCP responses to the unconfigured target device. This malicious payload triggers unauthorized command execution during the device initialization workflow. Therefore, the attacker successfully achieves an unauthenticated remote code execution condition.
Affected Versions and Patch Steps
This TP-Link router command injection flaw affects numerous popular hardware models. Affected products include the Archer MR200 (V7, V8) and Archer MR402 (V1). Furthermore, the Archer VR2100 (V1), Archer C20 (V5, V6), and TL-MR6400 (V7) contain this security flaw.
Users must secure their network infrastructure immediately to prevent attacks. First, you should identify your specific router model and hardware version. Next, update your device to the latest fixed firmware version provided by the vendor. Finally, you can find detailed upgrade instructions and downloads on the official TP-Link support page.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
