Multiple TP-Link Archer AX53 flaws could let attackers take over vulnerable routers

TP-Link has disclosed five security vulnerabilities affecting the Archer AX53 v1.0 router, including command injection, buffer overflow, and arbitrary file read flaws. The company says a successful attack could let an authenticated adjacent attacker execute system commands, crash services, read sensitive files, and further compromise the device.

The bugs affect core components including OpenVPN, dnsmasq, and tmpServer. TP-Link says the impacted firmware range is everything before version 1.7.1 Build 20260213, and it urges users to update immediately.

The most serious issues are two OS command injection vulnerabilities, tracked as CVE-2026-30815 and CVE-2026-30818. TP-Link says both carry a CVSS v4.0 score of 8.5 and allow an authenticated attacker on the same local network segment to execute system commands by supplying a specially crafted configuration file.

The most dangerous flaws involve command execution

CVE-2026-30815 affects the OpenVPN module. TP-Link says insufficient input validation during configuration file processing can let an authenticated adjacent attacker run system commands, which may lead to configuration changes, sensitive data exposure, or wider compromise of device integrity.

CVE-2026-30818 hits the dnsmasq module and is similarly severe. According to TP-Link, the flaw can allow arbitrary code execution when the router processes a malicious configuration file, again because the input is not validated properly.

Taken together, these two bugs create a serious local attack path. An attacker who already has the right level of access on the same network could move from configuration abuse to direct control over the router’s behavior. That makes these flaws especially dangerous in shared office, campus, or poorly segmented home environments. This last point is an inference based on TP-Link’s advisory.

A buffer overflow and file-read bugs add to the risk

Another flaw, CVE-2026-30814, affects the tmpServer module. TP-Link describes it as a stack-based buffer overflow that can trigger a segmentation fault and potentially allow arbitrary code execution through a specially crafted configuration file. The company rates it High with a CVSS v4.0 score of 7.3.

TP-Link also disclosed two arbitrary file read issues, CVE-2026-30816 and CVE-2026-30817. These affect the OpenVPN and dnsmasq modules and could let an authenticated adjacent attacker read arbitrary files from the device if a malicious configuration file gets processed. Both carry a CVSS v4.0 score of 6.8.

Those file-read flaws may not provide direct code execution on their own, but they can still expose sensitive information stored on the router. In practice, that can include configuration details and data that could help an attacker escalate further or pivot deeper into a local network. This is a reasonable security inference from the official advisory language about unauthorized file access.

Which devices are affected

TP-Link says the vulnerabilities affect Archer AX53 v1.0 devices running firmware earlier than 1.7.1 Build 20260213. The advisory also notes that AX53 v1 is not sold in the United States, which means exposure is more likely to affect users in other regional markets.

That regional note matters because TP-Link provides different support portals for different markets, including separate download pages for the English and Malaysia sites listed in the advisory. Users need to pull the right firmware for their hardware version and region before updating.

If left unpatched, the router could become an attractive foothold for attackers who already have adjacent access. Routers sit at a strategic point in the network, so a compromise there can create visibility into traffic, device settings, and local communications, even when the initial bug did not start as a remote internet exploit. This last sentence is an inference based on the device role and the impacts TP-Link listed.

Vulnerabilities at a glance

CVE	Module	Type	Severity
CVE-2026-30815	OpenVPN	OS command injection	High, 8.5
CVE-2026-30818	dnsmasq	OS command injection	High, 8.5
CVE-2026-30814	tmpServer	Stack-based buffer overflow	High, 7.3
CVE-2026-30816	OpenVPN	Arbitrary file read	Medium, 6.8
CVE-2026-30817	dnsmasq	Arbitrary file read	Medium, 6.8

Source: TP-Link security advisory.

What users and admins should do now

The main fix is clear. TP-Link says users should update Archer AX53 v1.0 devices to firmware version 1.7.1 Build 20260213 or later.

Admins should also avoid importing untrusted configuration files into router services such as OpenVPN and dnsmasq. Because all five issues rely on crafted configuration input, tighter control over who can upload or apply configs can reduce risk while patching rolls out. That recommendation follows directly from the attack paths described in the advisory.

Organizations should review how much local access trusted users and devices have on network segments where vulnerable routers operate. The official advisory says exploitation requires authenticated adjacent access, so segmentation and tighter administrative control can help reduce exposure.

Immediate security steps

• Update affected Archer AX53 v1.0 routers right away
• Verify the device hardware version before installing firmware
• Restrict who can upload or import router configuration files
• Review local network access around router management interfaces
• Audit for unusual configuration changes or service crashes

These steps align with TP-Link’s advisory and the stated exploitation requirements.

FAQ