CVE-2026-0630 is an OS command injection vulnerability classified under CWE-78, impacting TP-Link Archer BE230 v1.2 and Archer AXE75 v1.0 wireless routers. The flaw resides in the web management modules of these devices, where user-supplied input is improperly sanitized before being incorporated into operating system commands. This improper neutralization allows an adjacent attacker who has authenticated access to the device's management interface to inject arbitrary OS commands. Successful exploitation grants the attacker full administrative privileges on the device, enabling them to alter configurations, disrupt network operations, or pivot to other network assets. The vulnerability affects Archer BE230 versions prior to 1.2.4 (Build 20251218 rel.70420) and Archer AXE v1.0 versions prior to 1.5.3 (Build 20260209 rel.71108). The CVSS 4.0 base score is 8.5, reflecting high severity due to low attack complexity, no user interaction, and the ability to cause significant confidentiality, integrity, and availability impacts. Although no known exploits are publicly reported, the presence of multiple distinct OS command injection vulnerabilities in these devices indicates a systemic issue in input validation within the firmware's web modules. This vulnerability requires adjacent network access and authenticated credentials, limiting remote exploitation but still posing a serious risk in environments where attackers can gain local network access or compromise credentials.

The impact of CVE-2026-0630 is substantial for organizations deploying affected TP-Link Archer BE230 and AXE75 routers. An attacker exploiting this vulnerability can gain full administrative control over the device, allowing them to modify network configurations, disable security controls, or launch further attacks against internal network resources. This can lead to loss of confidentiality through data interception or manipulation, integrity breaches by altering device settings or firmware, and availability disruptions by disabling network services or causing device failures. In enterprise or critical infrastructure environments, compromised routers can serve as persistent footholds for attackers, enabling lateral movement and data exfiltration. Additionally, since these devices often serve as gateways, their compromise undermines the overall network security posture. The requirement for adjacent network access and authentication somewhat limits the attack surface but does not eliminate risk, especially in environments with weak credential management or insider threats. The absence of known exploits in the wild currently reduces immediate risk but does not preclude future exploitation once details become widely known.

To mitigate CVE-2026-0630, organizations should prioritize updating affected TP-Link devices to the latest firmware versions: Archer BE230 v1.2.4 (Build 20251218 rel.70420) or later and Archer AXE v1.0 1.5.3 (Build 20260209 rel.71108) or later once these patches are officially released. Until patches are applied, restrict access to the device management interfaces to trusted network segments and enforce strong authentication mechanisms, including complex passwords and, if supported, multi-factor authentication. Network segmentation should be employed to limit adjacent network access to these devices, minimizing exposure to potential attackers. Monitoring and logging of administrative access attempts and unusual device behavior can help detect exploitation attempts early. Disable any unnecessary services or remote management features that increase the attack surface. Additionally, conduct regular audits of device configurations and credentials to ensure no unauthorized changes or access have occurred. Vendors and administrators should also review and harden input validation mechanisms in custom device management interfaces to prevent similar vulnerabilities.