CVE-2026-22225 is an OS command injection vulnerability classified under CWE-78, found in TP-Link Systems Inc.'s Archer BE230 v1.2 and Archer AXE75 v1.0 routers. The vulnerability resides in the VPN Connection Service component and can be exploited only after an attacker authenticates as an administrator. The flaw allows improper neutralization of special elements in OS commands, enabling injection of arbitrary commands. This results in the attacker gaining full administrative control over the affected device, compromising configuration integrity, network security, and availability of services. The issue affects firmware versions prior to 1.2.4 Build 20251218 rel.70420 for Archer BE230 and prior to 1.5.3 Build 20260209 rel.71108 for Archer AXE75. The vulnerability is part of multiple distinct OS command injection issues in the product line, each tracked separately. The CVSS v4.0 base score is 8.5, indicating high severity, with attack vector being adjacent network, low attack complexity, no user interaction, and requiring high privileges (admin authentication). The vulnerability impacts confidentiality, integrity, and availability with high scope and impact. No known public exploits have been reported yet, but the potential for severe compromise exists if exploited. The vendor has not yet provided patch links, but updates to fixed firmware versions are expected. This vulnerability highlights the risks of insufficient input validation in network device management interfaces.

The impact of CVE-2026-22225 is significant for organizations using affected TP-Link Archer BE230 and AXE75 routers. An attacker with administrative credentials can execute arbitrary OS commands, leading to full device compromise. This can result in unauthorized changes to device configuration, interception or manipulation of network traffic, disruption of VPN services, and potential pivoting into internal networks. The compromise of network infrastructure devices undermines overall network security posture and can facilitate further attacks such as data exfiltration, lateral movement, or denial of service. Enterprises relying on these routers for VPN connectivity or perimeter security may face operational disruptions and data breaches. The requirement for admin authentication limits exploitation to insiders or attackers who have already compromised credentials, but the low complexity and high impact make this a critical concern. The vulnerability also poses risks to home users and small businesses using these models, potentially exposing their networks to takeover and misuse.

To mitigate CVE-2026-22225, organizations should: 1) Immediately verify the firmware versions of Archer BE230 and AXE75 devices and upgrade to versions 1.2.4 (or later) for BE230 and 1.5.3 (or later) for AXE75 once available from TP-Link. 2) Restrict administrative access to the router management interface and VPN Connection Service to trusted networks and IP addresses only, using network segmentation and firewall rules. 3) Enforce strong, unique administrator passwords and consider multi-factor authentication if supported to reduce risk of credential compromise. 4) Monitor device logs and network traffic for unusual activity indicating attempted or successful exploitation. 5) Disable or limit VPN Connection Service if not required to reduce attack surface. 6) Regularly audit and update device firmware and configurations as part of network security hygiene. 7) Educate administrators on the risks of credential theft and the importance of secure management practices. These steps go beyond generic advice by emphasizing access restrictions, monitoring, and proactive firmware management tailored to this vulnerability.