TP-Link Router Flaw Enables Remote Command Execution Attacks

TP-Link has confirmed an authenticated command-injection vulnerability in the web management interface of two router models: Archer BE450 v1 and Archer BE7200 v1.

Tracked as CVE-2026-5509 and scored 8.5 (High) under CVSS v4.0, the flaw lets an attacker execute arbitrary system commands after they obtain administrator-level credentials.

TP-Link Router Security Vulnerability

The flaw is an authenticated command injection in the router’s web management interface. An attacker first needs to log in with a valid admin account.

After authentication, they can use the browser’s developer console or crafted HTTP requests to submit specially formatted input fields.

The router’s backend fails to sanitize this input properly and forwards it into system-level command execution routines. Because the application accepts and passes attacker-controlled data directly to operating system commands, the injected payload runs with the router’s elevated privileges.

This gives the attacker control over the device’s embedded OS and the ability to perform persistent, high-impact changes.

Affected firmware and Patches

Affected models: Archer BE450 v1, Archer BE7200 v1. Affected firmware: versions earlier than 1.3.0 Build 20260416. Distribution note: TP-Link states these models are not sold in the United States but are available in other regions and may be deployed in sensitive networks.

• Start or stop services, modify routing or DNS settings.
• Install additional malicious software or backdoors.
• Intercept, redirect, or persistently manipulate traffic (MITM).
• Enroll the router into a botnet for DDoS or distributed campaigns.
• Lateral-move into internal hosts by pivoting through the compromised gateway.
• Default, weak, or reused passwords are in use.
• Remote administration or management ports are exposed to untrusted networks.
• Administrators lack monitoring of router behavior or change management controls.

Mitigation

TP-Link has published patched firmware and recommends upgrading to version 1.3.0 Build 20260416 or later for both models immediately. Firmware images are available from TP-Link’s regional support portals.

• Apply the provided firmware update without delay.
• Disable remote or WAN-side management unless strictly required.
• Restrict admin interface access by IP or VPN and separate management VLANs.
• Enforce strong, unique administrator passwords and rotate credentials.
• Monitor routers for unusual processes, outbound connections, DNS changes, or configuration modifications.