CVE-2026-9151

Vulnerability

An OS command injection vulnerability exists in the VPN module of TP-Link Archer AX12 v1, AX17 v1, AX18 v1, and AX1300 v1.6 routers. This issue stems from improper filtering of special characters when importing a VPN client configuration file.

Exploitation

An adjacent, authenticated attacker can exploit this vulnerability by importing a specially crafted VPN client configuration file. The attacker needs network access to the router and valid user credentials.

Impact

Successful exploitation allows an attacker to execute arbitrary commands on the device, potentially leading to full control of the affected router. This could compromise configuration integrity, network security, and service availability.

Mitigation

Firmware updates are available for the affected TP-Link Archer models. Users should visit the TP-Link support website for their specific model and hardware version to download and install the latest firmware. For example, Archer AX12(EU)_V1 has firmware version 1.5.0 Build 20260605 [3], and Archer AX1300(USW)_V1.6 has firmware version 1.5.0 Build 20260605 published on 2026-06-09 [4].