Bright Nexus

Published on June 2, 2026

TP-Link Router Vulnerability Allows Attackers to Execute Arbitrary System Commands

Severity

High

Detail

A high-severity vulnerability has been identified in TP-Link Archer routers, specifically affecting the Archer BE450 v1 and Archer BE7200 v1 models. Tracked as CVE-2026-5509, the flaw is a command injection vulnerability located within the router’s web management interface. It arises due to insufficient input sanitization in backend system commands, allowing an authenticated attacker to execute arbitrary commands with elevated privileges on the device’s underlying operating system.

According to a security advisory published by TP-Link on May 27, 2026, an attacker who has successfully logged into the administrative interface can exploit this flaw by using the browser’s developer console to inject specially crafted input as the vulnerability requires no further user interaction beyond initial authentication, it poses a significant risk in environments where administrative credentials are weak, reused, or have been previously exposed via infostealers.

Successful exploitation grants threat actors complete control over the affected network edge device. Attackers can leverage this access to manipulate system configurations, deploy unauthorized malicious services, alter firewall rules, enable remote access, or redirect network traffic for surveillance and data interception. While TP-Link has clarified that these specific models are not sold in the United States, users and enterprise environments across Asia and Europe remain exposed.

CVE IDSummaryCVSS Score
CVE-2026-5509Insufficient input validation in the web management interface of certain TP-Link Archer routers allows an authenticated attacker to execute arbitrary system commands via the browser developer console.8.5 (High)

Affected Products

The vulnerability affects the following hardware models running firmware versions earlier than 1.3.0 Build 20260416:

  • TP-Link Archer BE450 (v1)
  • TP-Link Archer BE7200 (v1)

Recommendation

Organizations and individual users are strongly advised to implement the following remediation steps to prevent device compromise and network intrusion:

  • Apply the latest patched firmware (version 1.3.0 Build 20260416 or later) from the official TP-Link support portal.
  • Change default administrative credentials and implement robust, complex password policies to prevent unauthorized access to the web interface.
  • Limit access to the router’s administrative and web management interfaces to trusted internal networks only, ensuring they are never exposed to the public internet.
  • Audit router settings for unauthorized modifications, unexpected remote access services, or anomalous firewall rule alterations.

Source

https://nvd.nist.gov/vuln/detail/CVE-2026-5509

https://www.tp-link.com/us/support/faq/5102

https://cybersecuritynews.com/tp-link-router-vulnerability/