CVE-2026-22229 identifies a critical OS command injection vulnerability in the TP-Link Archer BE230 v1.2 router firmware versions prior to 1.2.4 Build 20251218 rel.70420. The flaw exists due to improper neutralization of special characters in the processing of imported VPN client configuration files, which are handled after administrative authentication. An attacker with admin credentials can craft a malicious VPN configuration file that, when imported, triggers execution of arbitrary OS commands on the device. This leads to full administrative control over the router, allowing attackers to alter configurations, disrupt network services, or pivot into internal networks. The vulnerability is one of multiple distinct OS command injection issues in the product, each tracked separately. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L) indicates network attack vector, low attack complexity, no user interaction, but requires high privileges (admin). The vulnerability impacts confidentiality, integrity, and availability severely, with potential for persistent compromise. No public exploits are currently known, but the risk is significant given the administrative control gained upon exploitation. The issue is specific to firmware versions before 1.2.4, so upgrading is critical. The vulnerability affects a widely deployed consumer and SMB router model, which may be present in many European organizations' network infrastructure.

For European organizations, this vulnerability poses a significant risk to network security and operational continuity. Compromise of Archer BE230 routers can lead to unauthorized configuration changes, interception or redirection of network traffic, and potential lateral movement within corporate networks. Given the router’s role as a gateway device, attackers gaining administrative control can disrupt internet connectivity, degrade service availability, or establish persistent backdoors. Organizations relying on these routers for VPN connectivity are particularly vulnerable, as the attack vector involves importing VPN client configurations. The breach of confidentiality and integrity of network configurations can also lead to data leakage or compliance violations under regulations such as GDPR. The requirement for admin authentication limits remote exploitation but insider threats or credential compromise scenarios remain critical concerns. The absence of known exploits in the wild provides a window for proactive mitigation, but the high CVSS score underscores the urgency for patching and access control enforcement.

1. Immediately upgrade all affected TP-Link Archer BE230 v1.2 devices to firmware version 1.2.4 Build 20251218 rel.70420 or later once available from the vendor. 2. Restrict administrative access to the router’s management interface using network segmentation, VPNs, or IP whitelisting to minimize exposure. 3. Enforce strong, unique administrative credentials and implement multi-factor authentication if supported to reduce risk of credential compromise. 4. Monitor and audit VPN client configuration imports and administrative actions for suspicious activity. 5. Disable or tightly control the import of VPN client configuration files if possible, especially from untrusted sources. 6. Regularly review router logs and network traffic for anomalies indicative of exploitation attempts. 7. Educate network administrators about the risks of importing unverified configuration files and the importance of patch management. 8. Consider network-level protections such as intrusion detection/prevention systems to detect command injection patterns or unusual router behavior. 9. Maintain an inventory of deployed router models and firmware versions to prioritize patching efforts. 10. Engage with TP-Link support for any additional recommended security controls or updates.