TP-Link Router Vulnerability Lets Authenticated Attackers Execute System Commands

TP-Link has disclosed a high-severity command injection vulnerability affecting its Archer BE450 v1 and Archer BE7200 v1 routers. The flaw, tracked as CVE-2026-5509, can let an authenticated attacker execute arbitrary system commands through the router’s web management interface.

The company detailed the issue in a TP-Link security advisory published on May 27, 2026. TP-Link said the vulnerability exists because crafted input from the browser developer console can reach backend system commands without adequate sanitization.

The flaw does not allow any remote attacker to take over a router without credentials. However, it still creates serious risk when router administrator passwords are weak, reused, stolen, shared too widely, or exposed through phishing and credential leaks.

What CVE-2026-5509 Allows Attackers to Do

CVE-2026-5509 can allow an attacker who has already logged in to the router’s admin interface to execute system commands with elevated privileges. That level of access can affect the device’s configuration, services, and operating environment.

Japan Vulnerability Notes also published an advisory, listing the issue as OS command injection and mapping it to CWE-78. The JVN advisory says an attacker who logged in to the admin interface may execute arbitrary OS commands.

In practice, this could let an attacker change router settings, start unauthorized services, alter network behavior, or weaken security controls. Routers sit at the edge of a network, so compromise can affect traffic routing, visibility, and access to other devices.

Key Details About the TP-Link Router Vulnerability

Item	Details
CVE	CVE-2026-5509
Affected models	TP-Link Archer BE450 v1 and Archer BE7200 v1
Affected firmware	Versions earlier than 1.3.0 Build 20260416
Vulnerability type	Authenticated command injection through the web management interface
CVSS v4.0 score	8.5, high severity
CVSS v3.1 score	6.8, according to Japan Vulnerability Notes
Authentication required	Yes, administrator access is required
Fix	Update to firmware 1.3.0 Build 20260416 or later

Which TP-Link Routers Are Affected

The affected products are Archer BE450 v1 and Archer BE7200 v1 routers running firmware versions before 1.3.0 Build 20260416. Users with either model should check the router’s firmware version through the web management interface or the TP-Link app if supported.

The TP-Link advisory states that BE450 and BE7200 are not sold in the United States. That does not remove the risk for users in other regions, including markets where these models remain available.

Japanese publication INTERNET Watch also reported that users should update to the latest firmware to address the OS command injection issue. The report cites both JVN and TP-Link guidance.

Why Router Command Injection Is Serious

Command injection is dangerous because it can turn a web management flaw into operating system access. On a router, that may let an attacker modify firewall rules, DNS settings, routing behavior, startup scripts, or other sensitive configuration.

This vulnerability requires authentication, which reduces the exposure compared with an unauthenticated internet-facing flaw. Still, many router breaches start with stolen credentials, default passwords, weak passwords, or admin panels exposed to networks that do not need access.

Network edge devices also attract attackers because they can provide persistence, traffic visibility, and a path into internal systems. Once a router is compromised, defenders may struggle to trust logs, DNS behavior, and traffic forwarding from that device.

How Attackers Could Abuse the Flaw

An attacker would first need access to the router’s administrator interface. That access could come from a compromised admin password, an exposed management page, a malicious insider, or another device on the same network.

After logging in, the attacker could use the browser developer console to submit crafted input that the backend fails to sanitize correctly. That input may then be passed to system commands and executed with elevated privileges.

A GitHub Advisory Database entry describes the same authenticated command injection behavior and lists the vulnerable Archer BE450 v1 and BE7200 v1 models.

What Users Should Do Now

TP-Link users with affected devices should install the latest firmware as soon as possible. The update should move the router to version 1.3.0 Build 20260416 or later.

• Check whether the router is an Archer BE450 v1 or Archer BE7200 v1.
• Open the router’s firmware information page and confirm the installed version.
• Download firmware only from the official TP-Link support page for the correct model and region.
• Install version 1.3.0 Build 20260416 or later.
• Change the router administrator password after updating.
• Disable remote management if it is not required.
• Limit admin interface access to trusted local devices.
• Review router settings for unknown services, DNS changes, port forwarding rules, or unexpected users.

Users should not install firmware from unofficial mirrors or file-sharing sites. Router firmware must match the exact model, hardware version, and region because installing the wrong file can cause failures or make the device unusable.

Security Steps Beyond the Firmware Update

Patching closes the known vulnerability, but secure configuration still matters. A router admin panel should not be reachable from the public internet unless a specific, protected operational need exists.

Users should also avoid reusing the router administrator password on other services. If attackers obtain reused credentials from another breach, they may try those passwords against network devices.

Organizations should place router management interfaces on trusted management networks where possible. They should also log administrative access, restrict access by IP address, and use a documented change process for firmware updates.

How to Check for Possible Compromise

Anyone who used an affected firmware version should review the router configuration after patching. This matters most when the admin password was weak, shared, or exposed.

• Look for unexpected DNS server changes.
• Check firewall and port forwarding rules.
• Review remote management settings.
• Check for unknown administrator accounts if the router supports multiple users.
• Review logs for unusual admin logins.
• Restart the device after updating and confirming settings.
• Back up a clean configuration only after reviewing the device.

If a router shows signs of unauthorized changes, users should reset it to factory defaults, install the latest firmware, reconfigure it manually, and rotate Wi-Fi and administrator passwords.

Why Web Management Interfaces Need Extra Care

Router web interfaces are convenient, but they also create a common attack surface. Every form field, setting, and hidden parameter that reaches backend system commands must handle input safely.

The GitHub advisory and vendor guidance both describe the issue as tied to crafted input submitted through the management interface. That makes admin-interface exposure and credential hygiene important parts of risk reduction.

INTERNET Watch also notes that updating to the latest firmware is the recommended remediation. Users and administrators should treat router firmware updates as routine security maintenance, not only as feature upgrades.

FAQ