Skip to main content

TP-Link Archer EUVDEUVD-2026-32611

| CVE-2026-5509 HIGH
Improper Input Validation (CWE-20)
2026-05-27 f23511db-6c3e-4e32-a477-6aa17d310630 GHSA-5qh8-v6gw-rfcc
8.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
May 27, 2026 - 19:54 vuln.today
Patch available
May 27, 2026 - 19:46 EUVD

DescriptionCVE.org

An authenticated command injection vulnerability exists in the Archer BE450 v1 and BE7200 v1 router that allows an administrator to execute arbitrary system commands through the web management interface. After successfully authenticating to the admin interface, an attacker can leverage the browser’s developer console by supplying a crafted input that is passed to backend system commands without adequate sanitization.

Successful exploitation enables execution of arbitrary commands with elevated privileges on the device, which may allow the attacker to start unauthorized services, modify system configuration, or otherwise fully compromise the router’s operating environment.

AnalysisAI

Authenticated command injection in TP-Link Archer BE450 v1 and BE7200 v1 routers lets an admin-level user run arbitrary OS commands with elevated privileges via the web management interface. The flaw stems from improper input validation (CWE-20): crafted input supplied through the management UI is passed to backend system commands without adequate sanitization, enabling full device compromise. There is no public exploit identified at time of analysis, and the CVSS 4.0 vector scopes exploitation to the adjacent network by an already-authenticated administrator.

Technical ContextAI

The affected devices are TP-Link Archer-series Wi-Fi 7 routers (BE450 v1 and BE7200 v1) running TP-Link's embedded firmware web management stack. The root cause is classified as CWE-20 (Improper Input Validation): a parameter exposed through the router's HTTP admin interface is concatenated into a backend system shell invocation without sanitization, so shell metacharacters in attacker-supplied input are interpreted rather than treated as literal data. Because router firmware command handlers typically execute as the most privileged account on the device, injected commands inherit elevated/root-equivalent privileges over the embedded Linux environment, which is consistent with the SSVC 'total' technical-impact rating.

RemediationAI

Vendor-released patch: firmware 1.3.0 Build 20260416 - upgrade both Archer BE450 v1 and BE7200 v1 devices to this build or later, obtained only from the official TP-Link firmware pages (https://www.tp-link.com/en/support/download/archer-be450/#Firmware and https://www.tp-link.com/jp/support/download/archer-be7200/#Firmware). Until patching is complete, reduce exposure by treating the management interface as the attack surface: restrict admin-interface access to a trusted management VLAN or specific management hosts and disable any remote/WAN management so the interface is not reachable beyond the local segment (trade-off: legitimate remote administration is lost), and segment guest/IoT Wi-Fi away from the LAN that can reach the router UI to shrink the adjacent-network exposure required by AV:A. Because exploitation requires administrator credentials (PR:H), rotate the admin password to a strong unique value, eliminate default credentials, and limit who holds admin access (trade-off: tighter credential hygiene and added operational overhead). Review the TP-Link security FAQ at https://www.tp-link.com/us/support/faq/5102/ for vendor guidance.

Share

EUVD-2026-32611 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy