Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack traverses the network CWMP channel (AV:N) but requires control of the trusted ACS (PR:H); no user interaction, and successful injection yields full root compromise (C/I/A:H).
Primary rating from Vendor (TPLink).
CVSS VectorVendor: TPLink
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
An OS command injection vulnerability exists in the TR-069 / CWMP management interface of Archer VX1800v v1 due to insufficient input validation and sanitization of parameters, allowing crafted input to be executed as system-level commands. Exploitation requires specific conditions such as TR-069 being enabled and ability to influence ACS-delivered commands, compromise or control an ACS server.
Successful exploitation may allow arbitrary command execution with root privileges, resulting in complete compromise of the device.
AnalysisAI
Root-level OS command injection in the TR-069/CWMP management client of the TP-Link Archer VX1800v v1 gateway lets an attacker who controls (or has compromised) the ACS provisioning server inject unsanitized parameters that the device executes as system-level commands. Because CWMP provisioning is trusted implicitly, a malicious or hijacked ACS can push crafted values that yield arbitrary command execution as root and full device takeover. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two specific preconditions stated by TP-Link: (1) the TR-069/CWMP remote-management feature must be enabled on the Archer VX1800v v1, and (2) the attacker must be able to influence ACS-delivered commands - in practice by compromising or controlling the Auto Configuration Server, or otherwise impersonating it to the CPE. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H, base 8.6 High) captures the key tension well: impact is maximal (full confidentiality, integrity, and availability loss via root code execution), but PR:H reflects that exploitation is not open to arbitrary internet attackers - it requires a privileged position, namely control over ACS-delivered commands or compromise of the ACS server itself. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has compromised an ISP's ACS server (or who can impersonate the ACS to targeted gateways over an unauthenticated/MITM'd CWMP channel) crafts a provisioning parameter containing shell metacharacters and pushes it to the Archer VX1800v v1. The device's CWMP client passes the value to a system shell without sanitization, executing the attacker's commands as root and yielding complete device compromise. … |
| Remediation | Patch available per vendor advisory: update the Archer VX1800v v1 to the latest firmware from the TP-Link download page (https://www.tp-link.com/en/support/download/archer-vx1800v/#Firmware); the exact fixed version was not stated in the available data, so apply the most recent firmware listed for this model and confirm the build post-update. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all TP-Link Archer VX1800v v1 devices in your infrastructure and audit current firmware versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Archer Vx1800V V1
View allOS command injection in the TP-Link Archer VX1800v (v1) router lets an adjacent, high-privileged attacker inject shell m
A privilege escalation vulnerability exists in the HTTP authentication component in Archer VX1800v v1. Improper handling
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43962
GHSA-pjj3-47vg-vqcj