VYPR
← All advisories
High severityNVD Advisory· Published May 27, 2026· Updated May 27, 2026

CVE-2026-5509

CVE-2026-5509

Description

An authenticated command injection vulnerability exists in the Archer BE450 v1 and BE7200 v1 router that allows an administrator to execute arbitrary system commands through the web management interface. After successfully authenticating to the admin interface, an attacker can leverage the browser’s developer console by supplying a crafted input that is passed to backend system commands without adequate sanitization.

Successful exploitation enables execution of arbitrary commands with elevated privileges on the device, which may allow the attacker to start unauthorized services, modify system configuration, or otherwise fully compromise the router’s operating environment.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Authenticated command injection in Archer BE450 v1 and BE7200 v1 routers allows admin to execute arbitrary system commands via crafted input in web management interface.

Vulnerability

An authenticated command injection vulnerability exists in the Archer BE450 v1 and Archer BE7200 v1 routers. The flaw resides in the web management interface where user-supplied input is passed to backend system commands without adequate sanitization [4]. Affected versions are those prior to firmware 1.3.0 Build 20260416 for both models [4]. The vulnerability requires the attacker to have administrative credentials to the router's admin interface.

Exploitation

After successfully authenticating to the admin interface, an attacker can leverage the browser's developer console to supply a crafted input that is then passed unsanitized to backend system commands [4]. No additional user interaction or network position beyond local network access to the router's management interface is required. The attacker can execute arbitrary commands with elevated privileges on the device.

Impact

Successful exploitation enables execution of arbitrary commands with elevated privileges, allowing the attacker to start unauthorized services, modify system configuration, or fully compromise the router's operating environment [4]. This results in high confidentiality, integrity, and availability impact as per CVSS v4.0 score of 8.5 [4].

Mitigation

TP-Link has released firmware version 1.3.0 Build 20260416 for both Archer BE450 v1 and Archer BE7200 v1 to fix the vulnerability [3][4]. Users are strongly recommended to download and install the latest firmware from the official TP-Link support pages [1][2][3]. No workarounds are documented; updating firmware is the only mitigation. The advisory notes that BE450 and BE7200 are not sold in the US [4].

References
  1. Archer BE450 のコンテンツ | TP-Link 日本
  2. Archer BE7200 のコンテンツ | TP-Link 日本
  3. Download for Archer BE450 | TP-Link
  4. Security Advisory on Arbitrary Command Injection via Browser Developer Console in TP-Link’s Archer BE450 and BE7200 (CVE-2026-5509)

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

3

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

4

News mentions

0

No linked articles in our index yet.