Skip to main content

TP-Link Archer CVE-2026-11834

| EUVDEUVD-2026-38339 HIGH
OS Command Injection (CWE-78)
2026-06-22 TPLink GHSA-w296-94hj-pfcg
8.7
CVSS 4.0 · Vendor: TPLink
Share

Severity by source

Vendor (TPLink) PRIMARY
8.7 HIGH
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Adjacent network DHCP attack with no auth or user interaction; unsanitized option parsing yields straightforward command injection as root, giving full CIA impact on the router itself.

3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (TPLink).

CVSS VectorVendor: TPLink

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 22, 2026 - 19:01 vuln.today

DescriptionCVE.org

A command injection vulnerability has been identified in the DHCP option processing logic in multiple TP-Link router models, due to insufficient validation of externally supplied DHCP option data. An adjacent attacker may exploit this vulnerability by supplying crafted DHCP responses, potentially resulting in unauthorized command execution during device initialization or provisioning workflows. This typically occurs when the device is in a factory-default or unconfigured state.

Successful exploitation may allow an adjacent, unauthenticated attacker to execute arbitrary commands with elevated privileges, potentially leading to full compromise of the affected device and unauthorized administrative control.

AnalysisAI

Command injection in TP-Link Archer and TL-MR series routers allows an adjacent unauthenticated attacker on the same broadcast domain to execute arbitrary commands with elevated privileges by supplying crafted DHCP option responses. The flaw resides in DHCP client option processing during device initialization and is most reliably triggered when the router is in factory-default or unconfigured state. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Gain L2 adjacency to router DHCP interface
Delivery
Stand up rogue DHCP server on segment
Exploit
Router enters provisioning and requests DHCP options
Install
Server returns crafted option with shell metacharacters
C2
Router passes value to unsanitized system() call
Execute
Arbitrary commands execute with elevated privileges
Impact
Full device compromise and persistent administrative control

Vulnerability AssessmentAI

Exploitation Attacker must be on the same broadcast/L2 segment as the router's DHCP-client interface (AV:A) - typically the WAN side on LTE/DSL gateway models or any segment where the device performs DHCP during provisioning. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 4.0 base score 8.7 reflects adjacent network attack (AV:A), low complexity, no authentication, no user interaction, and full CIA impact on the vulnerable system - consistent with a router being fully compromised by a malicious DHCP server on the same L2 segment. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on the same Layer-2 segment as a freshly reset or newly deployed TP-Link router (for example, a malicious neighbor on a shared apartment-building ISP segment, or a rogue host on a SOHO LAN during initial setup) runs a rogue DHCP server that races the legitimate one. When the router requests DHCP options during provisioning, the rogue server returns crafted option values containing shell metacharacters, causing the router to execute the embedded commands as root and yielding full administrative control of the device.
Remediation Patch available per vendor advisory: install the latest firmware for the specific affected model from the TP-Link support pages (https://www.tp-link.com/us/support/faq/5141/ and the per-model firmware downloads for Archer C20, MR200, MR402, VR2100, and TL-MR6400 v7). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all TP-Link Archer and TL-MR series routers deployed and document current firmware versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-11834 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy