CVE-2026-22229 is an OS command injection vulnerability classified under CWE-78, discovered in TP-Link Systems Inc.'s Archer BE230 v1.2 and Deco BE25 v1.0 wireless devices. The vulnerability arises from improper neutralization of special elements in the processing of VPN client configuration files imported by an authenticated administrator. When a crafted VPN configuration file is imported, the device's firmware fails to properly sanitize input before passing it to OS command execution functions, allowing an attacker to inject arbitrary commands. This leads to full administrative control over the device, enabling attackers to alter configurations, disrupt network services, or pivot within the network. The affected firmware versions are Archer BE230 v1.2 prior to 1.2.4 Build 20251218 rel.70420 and Deco BE25 v1.0 up to 1.1.1 Build 20250822. The vulnerability does not require user interaction beyond the import action and does not allow exploitation without prior admin authentication, limiting remote exploitation but still posing a significant risk if credentials are compromised. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required beyond admin, no user interaction, and high impact on confidentiality, integrity, and availability. Although no public exploits are known, the vulnerability's nature and impact warrant urgent remediation. This CVE is one of multiple OS command injection issues in these devices, highlighting systemic input validation weaknesses in the firmware.

The impact of CVE-2026-22229 is severe for organizations deploying affected TP-Link Archer BE230 and Deco BE25 devices. Exploitation grants attackers full administrative control, enabling them to modify device configurations, disable or manipulate network security controls, and disrupt service availability. This can lead to network compromise, data interception, lateral movement within internal networks, and potential persistent backdoors. Organizations relying on these devices for VPN connectivity or network access control face risks of unauthorized access and data breaches. The requirement for admin authentication reduces the risk of remote exploitation by unauthenticated attackers but increases the threat if admin credentials are leaked or weak. The vulnerability could be leveraged in targeted attacks against enterprises, SMBs, or home users using these models, especially in environments where device management is less strictly controlled. The compromise of network edge devices like routers or Wi-Fi extenders can have cascading effects on overall network security posture and trust.

To mitigate CVE-2026-22229, organizations should immediately upgrade affected devices to the latest firmware versions where the vulnerability is patched (Archer BE230 v1.2 to version 1.2.4 Build 20251218 rel.70420 or later, and Deco BE25 v1.0 to version 1.1.1 Build 20250822 or later). Until patches are applied, restrict administrative access to trusted personnel only and enforce strong, unique admin passwords to reduce the risk of credential compromise. Disable VPN client configuration imports if not required or implement strict validation and monitoring of imported files. Employ network segmentation to isolate vulnerable devices from critical infrastructure. Monitor device logs for unusual configuration import activities and commands. Consider deploying network intrusion detection systems to detect anomalous traffic patterns indicative of exploitation attempts. Regularly audit device firmware versions and configurations as part of vulnerability management. Vendor communication channels should be monitored for updates or additional advisories related to this and related vulnerabilities.