Skip to main content

TP-Link Archer CVE-2026-9151

| EUVD-2026-36078 HIGH
OS Command Injection (CWE-78)
2026-06-10 TPLink GHSA-x4j3-73c9-wq9c
Command Injection TP-Link
8.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 10, 2026 - 18:32 vuln.today
CVSS changed
Jun 10, 2026 - 18:22 NVD
8.5 (HIGH)

DescriptionNVD

An OS command injection vulnerability exists in the VPN module of TP-Link Archer AX12 v1, AX17 v1. AX18 v1, and AX1300 v1.6 routers. This vulnerability allows an adjacent, authenticated attacker to execute arbitrary commands on the device by importing a specially crafted VPN client configuration file. The issue stems from improper filtering of special characters.

Successful exploitation of this vulnerability may enable an attacker to gain full control of the affected device, potentially compromising configuration integrity, network security, and service availability.

AnalysisAI

OS command injection in the VPN module of TP-Link Archer AX12 v1, AX17 v1, AX18 v1, and AX1300 v1.6 routers allows an authenticated attacker on an adjacent network to execute arbitrary commands by uploading a malicious VPN client configuration file. The flaw stems from improper sanitization of special characters during configuration import (CWE-78) and carries a CVSS 4.0 base score of 8.5. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Gain adjacent network foothold (LAN/Wi-Fi)
Delivery
Obtain router admin credentials
Exploit
Authenticate to web UI
Install
Craft malicious VPN client config with shell metacharacters
C2
Import file via VPN module
Execute
Trigger command injection (CWE-78)
Impact
Execute arbitrary commands as router root
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires three concrete preconditions drawn from the CVE data: (1) the attacker must be on a network adjacent to the router - same LAN segment, Wi-Fi (including guest SSID if it can reach the admin interface), or a directly bridged link - because the CVSS vector is AV:A, not AV:N; (2) the attacker must possess administrator-level credentials to the router web UI (PR:H), since the VPN client configuration import is an authenticated management function; (3) the device must be one of the listed hardware revisions (Archer AX12 v1, AX17 v1, AX18 v1, AX1300 v1.6) with the VPN Client feature enabled and reachable, and the attacker must be able to submit a crafted VPN client configuration file through that import workflow. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:A/AC:L/AT:N/PR:H/UI:N) tells a nuanced story: attack vector is Adjacent (the attacker must already be on the LAN or Wi-Fi), privileges required are High (administrative login to the router web UI is needed), and no user interaction is required once the attacker is in. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has gained the router's administrator credentials - for example a malicious guest on the home or small-office Wi-Fi, a roommate, or someone who phished or default-guessed the admin password - logs into the web UI and navigates to the VPN client configuration page. They upload a crafted VPN client profile in which a parameter (such as a server name, certificate path, or auth field) embeds shell metacharacters and an OS command; when the firmware parses and applies the file, the injected command runs with router-level privileges, giving the attacker a persistent foothold to sniff or redirect LAN traffic, alter DNS, or install a backdoor. …
Remediation Patch available per vendor advisory: download and install the latest firmware for the exact hardware revision from the TP-Link support pages - Archer AX12 (https://www.tp-link.com/en/support/download/archer-ax12/#Firmware), Archer AX17 (https://www.tp-link.com/en/support/download/archer-ax17/#Firmware), Archer AX18 (https://www.tp-link.com/en/support/download/archer-ax18/#Firmware), and Archer AX1300 (https://www.tp-link.com/us/support/download/archer-ax1300/#Firmware) - verifying the hardware version label on the device before flashing, since installing the wrong revision's firmware can brick consumer routers. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all TP-Link Archer AX12 v1, AX17 v1, AX18 v1, and AX1300 v1.6 devices in production environments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-9151 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy