TP-Link Router Vulnerability Allows Arbitrary Command Execution
A command injection vulnerability (CVE-2026-5509) in TP-Link Archer BE450 and BE7200 routers allows authenticated attackers to execute arbitrary system commands via the web management interface.
A critical command injection vulnerability, identified as CVE-2026-5509, has been discovered in specific TP-Link router models, potentially allowing authenticated attackers to execute arbitrary system commands. The flaw affects the TP-Link Archer BE450 v1 and BE7200 v1 routers, and has been assigned a high CVSS v4.0 score of 8.5, indicating a significant security risk.
The vulnerability resides within the router's web management interface and requires an attacker to first gain authenticated access. According to TP-Link's security advisory, the issue stems from insufficient sanitization of backend system commands. Once authenticated, an attacker can leverage the browser's developer console to inject malicious input, which is then improperly processed by the system, leading to command execution.
Exploitation of CVE-2026-5509 does not require any user interaction beyond the initial authentication. This makes it particularly dangerous in environments where administrative credentials might be weak, reused, or have been compromised through other means. Successful exploitation grants attackers elevated privileges on the router's underlying operating system, enabling them to manipulate system configurations, install unauthorized services, or establish persistent access within the network.
In a real-world scenario, an attacker with stolen credentials or an insider could log into the router's administrative panel. By using the browser console, they could inject commands to alter firewall rules, enable remote access, or redirect network traffic for surveillance and data interception. Such actions could severely compromise the confidentiality, integrity, and availability of the affected network.
The vulnerability impacts Archer BE450 v1 and Archer BE7200 v1 devices running firmware versions prior to 1.3.0 Build 20260416. TP-Link has addressed the issue by releasing a patched firmware version, 1.3.0 Build 20260416, and strongly urges users to upgrade their devices immediately. Unpatched routers remain vulnerable to compromise, especially if they are directly exposed to the internet or have weak security configurations.
Security experts highlight that this vulnerability underscores the persistent risks associated with web-based management interfaces, particularly when input validation is not rigorously enforced. Network edge devices like routers are frequent targets for threat actors seeking an initial foothold into internal networks, emphasizing the critical importance of timely patching and secure configuration practices.
While TP-Link has stated that the affected models are not sold in the United States, users in other regions, including Asia and Europe, may still be at risk. The company advises users to download the latest firmware updates from their official support portal and apply them promptly. Additionally, implementing strong password policies and restricting access to management interfaces to trusted networks is recommended to further enhance security.