CVE-2026-22225 identifies an OS command injection vulnerability in the TP-Link Archer BE230 v1.2 router's VPN Connection Service. The flaw arises from improper neutralization of special characters in OS commands, classified under CWE-78, allowing an authenticated administrator to inject arbitrary commands into the underlying operating system. This vulnerability is exploitable only after successful administrative authentication, meaning an attacker must first gain admin credentials or access. Upon exploitation, the attacker can execute commands with the highest privilege level on the device, enabling full administrative control. This control can lead to unauthorized changes in device configuration, compromise of network security policies, interception or redirection of network traffic, and denial of service by disrupting router functionality. The affected versions are all prior to firmware 1.2.4 Build 20251218 rel.70420. The CVSS v4.0 score of 8.5 reflects a high severity due to the combination of high impact on confidentiality, integrity, and availability, moderate attack vector (adjacent network), and the requirement for high privileges but no user interaction. No public exploits have been reported yet, but the vulnerability is critical given the widespread use of TP-Link devices and the sensitive role of VPN services in secure communications. This CVE is one of multiple OS command injection issues found in the product, each tracked separately.

For European organizations, this vulnerability poses a significant risk to network security and operational continuity. Organizations using the Archer BE230 v1.2 routers in their infrastructure, especially for VPN services, could face unauthorized administrative control if attackers obtain admin credentials or exploit weak access controls. This could lead to interception or manipulation of sensitive data, disruption of secure remote access, and potential lateral movement within internal networks. Small and medium enterprises, as well as home offices relying on these devices, may experience service outages or data breaches. The impact extends to critical sectors such as finance, healthcare, and government, where VPNs are essential for secure communications. Given the high CVSS score and the critical nature of the vulnerability, exploitation could severely compromise confidentiality, integrity, and availability of network services. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially if attackers develop targeted exploits.

European organizations should prioritize updating affected Archer BE230 v1.2 devices to firmware version 1.2.4 Build 20251218 rel.70420 or later as soon as it becomes available from TP-Link. Until patches are applied, restrict administrative access to the VPN Connection Service by limiting access to trusted IP addresses and enforcing strong, unique administrator passwords. Implement network segmentation to isolate vulnerable devices from critical infrastructure and monitor administrative access logs for suspicious activity. Disable VPN services on affected devices if not required. Employ multi-factor authentication for device management interfaces where possible. Regularly audit device firmware versions and configurations to ensure compliance. Additionally, educate administrators about the risks of credential compromise and enforce strict credential management policies. Consider replacing vulnerable devices with models that have a stronger security posture if patching is delayed or unsupported.