Skip to main content

TP-Link Archer VX1800v CVE-2026-15427

| EUVDEUVD-2026-43962 HIGH
OS Command Injection (CWE-78)
2026-07-14 TPLink GHSA-pjj3-47vg-vqcj
8.6
CVSS 4.0 · Vendor: TPLink
Share

Severity by source

Vendor (TPLink) PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.2 HIGH

Attack traverses the network CWMP channel (AV:N) but requires control of the trusted ACS (PR:H); no user interaction, and successful injection yields full root compromise (C/I/A:H).

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (TPLink).

CVSS VectorVendor: TPLink

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 17:33 vuln.today
CVE Published
Jul 14, 2026 - 17:02 cve.org
HIGH 8.6

DescriptionCVE.org

An OS command injection vulnerability exists in the TR-069 / CWMP management interface of Archer VX1800v v1 due to insufficient input validation and sanitization of parameters, allowing crafted input to be executed as system-level commands. Exploitation requires specific conditions such as TR-069 being enabled and ability to influence ACS-delivered commands, compromise or control an ACS server.

Successful exploitation may allow arbitrary command execution with root privileges, resulting in complete compromise of the device.

AnalysisAI

Root-level OS command injection in the TR-069/CWMP management client of the TP-Link Archer VX1800v v1 gateway lets an attacker who controls (or has compromised) the ACS provisioning server inject unsanitized parameters that the device executes as system-level commands. Because CWMP provisioning is trusted implicitly, a malicious or hijacked ACS can push crafted values that yield arbitrary command execution as root and full device takeover. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Compromise or impersonate ACS server
Delivery
Craft CWMP parameter with shell metacharacters
Exploit
Push malicious provisioning to CPE
Execution
CWMP client executes unsanitized value in shell
Persist
Arbitrary command execution as root
Impact
Complete device compromise

Vulnerability AssessmentAI

Exploitation Exploitation requires two specific preconditions stated by TP-Link: (1) the TR-069/CWMP remote-management feature must be enabled on the Archer VX1800v v1, and (2) the attacker must be able to influence ACS-delivered commands - in practice by compromising or controlling the Auto Configuration Server, or otherwise impersonating it to the CPE. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H, base 8.6 High) captures the key tension well: impact is maximal (full confidentiality, integrity, and availability loss via root code execution), but PR:H reflects that exploitation is not open to arbitrary internet attackers - it requires a privileged position, namely control over ACS-delivered commands or compromise of the ACS server itself. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has compromised an ISP's ACS server (or who can impersonate the ACS to targeted gateways over an unauthenticated/MITM'd CWMP channel) crafts a provisioning parameter containing shell metacharacters and pushes it to the Archer VX1800v v1. The device's CWMP client passes the value to a system shell without sanitization, executing the attacker's commands as root and yielding complete device compromise. …
Remediation Patch available per vendor advisory: update the Archer VX1800v v1 to the latest firmware from the TP-Link download page (https://www.tp-link.com/en/support/download/archer-vx1800v/#Firmware); the exact fixed version was not stated in the available data, so apply the most recent firmware listed for this model and confirm the build post-update. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all TP-Link Archer VX1800v v1 devices in your infrastructure and audit current firmware versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-15427 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy