TP-Link Archer AX53 Flaws Enable Command Injection via OpenVPN and dnsmasq
TP-Link Archer AX53 v1.0 routers were found to contain two high-severity OS command injection vulnerabilities, tracked as CVE-2026-30815 and CVE-2026-30818, affecting the device's OpenVPN and dnsmasq modules. In both cases, an authenticated attacker on an adjacent network can supply a specially crafted configuration file to trigger arbitrary command execution because of insufficient input validation, a weakness classified as CWE-78.
Successful exploitation could let an attacker alter router configuration, access sensitive information, and undermine overall device integrity and availability. The flaws affect Archer AX53 v1.0 firmware releases prior to 1.7.1 Build 20260213, and the CVSS v4.0 assessments indicate low attack complexity under adjacent-network conditions with high impact across confidentiality, integrity, and availability.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
CVE-2026-30818 disclosed for AX53 dnsmasq module command injection
A CVE entry disclosed an OS command injection vulnerability in the dnsmasq module of TP-Link Archer AX53 v1.0. The flaw allows an authenticated adjacent attacker to execute arbitrary code via a specially crafted configuration file on firmware versions before 1.7.1 Build 20260213.
CVE-2026-30815 disclosed for AX53 OpenVPN module command injection
A CVE entry disclosed an OS command injection vulnerability in the OpenVPN module of TP-Link Archer AX53 v1.0. The flaw allows an authenticated adjacent attacker to execute system commands via a specially crafted configuration file on firmware versions before 1.7.1 Build 20260213.
TP-Link publishes AX53 advisory covering five vulnerabilities
TP-Link published a security advisory for Archer AX53 covering five vulnerabilities: CVE-2026-30814, CVE-2026-30815, CVE-2026-30816, CVE-2026-30817, and CVE-2026-30818. The advisory coincided with the 2026-02-13 firmware release and expanded the known scope beyond the two CVEs already captured in the timeline.
TP-Link fixes AX53 command injection flaws in firmware 1.7.1 Build 20260213
TP-Link Archer AX53 v1.0 firmware version 1.7.1 Build 20260213 became the first version not affected by two OS command injection vulnerabilities in the router's OpenVPN and dnsmasq modules, indicating the issues were addressed by that release.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
TALOS-2025-2307 || Cisco Talos Intelligence Group - Comprehensive Threat Intelligence
talosintelligence.com
Open sourceTALOS-2025-2309 || Cisco Talos Intelligence Group - Comprehensive Threat Intelligence
talosintelligence.com
Open sourceTALOS-2025-2308 || Cisco Talos Intelligence Group - Comprehensive Threat Intelligence
talosintelligence.com
Open sourceCVE-2026-30815 - OS Command Injection Vulnerability in OpenVPN Module in TP-Link AX53
cvefeed.io
Open sourceCVE-2026-30818 - OS Command Injection Vulnerability in dnsmasq Module in TP-Link AX53
cvefeed.io
Open sourceSecurity Advisory on Multiple Vulnerabilities on Archer AX53 (CVE-2026-30814, CVE-2026-30815, CVE-2026-30816, CVE-2026-30817, CVE-2026-30818) | TP-Link
tp-link.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
TP-Link Archer Routers Patched for Command Injection and Multiple Security Flaws
TP-Link has disclosed and patched a high-severity authenticated command injection flaw, **CVE-2026-5509**, affecting **Archer BE450 v1** and **BE7200 v1** routers. The vulnerability in the web management interface carries a **CVSS 8.5** score and can let an attacker who has already gained administrative access execute arbitrary system commands, potentially leading to elevated privileges, configuration tampering, unauthorized service execution, and interception of sensitive network traffic. TP-Link said devices running firmware earlier than **`1.3.0 Build 20260416`** are vulnerable and urged customers to install the latest firmware from its regional support portals. The disclosure follows broader reporting on security weaknesses affecting **TP-Link Archer NX** routers, adding to concerns over exploitable flaws in the vendor’s consumer networking lineup. Together, the reports highlight continued risk in internet-facing router management functions, where compromised credentials or prior access can turn web interface bugs into full device compromise. Organizations and home users using affected Archer models should verify firmware versions, restrict administrative access, and apply vendor updates immediately.
Jun 2, 2026
Command Injection Flaws Expose TP-Link Archer NX Routers to Admin-Level RCE
TP-Link Archer `NX200`, `NX210`, `NX500`, and `NX600` routers are affected by two high-severity command injection vulnerabilities, tracked as **CVE-2025-15518** and **CVE-2025-15519**. The flaws stem from improper input handling in administrative CLI functions: one in a wireless-control command and the other in a modem-management command. In both cases, crafted input can be incorporated into operating system commands, enabling arbitrary command execution on the underlying device. The vulnerabilities require an authenticated attacker with administrative privileges, but successful exploitation could compromise the **confidentiality, integrity, and availability** of affected routers. Both issues are classified as `CWE-78` and were published as new CVE records with high-impact `CVSS v4.0` scoring. The CVE entries point users to TP-Link firmware download pages and support documentation for remediation guidance.
Mar 23, 2026
Authenticated Command Injection in TP-Link Archer MR600 v5 (CVE-2025-14756)
TP-Link issued a security advisory for an **authenticated command injection** vulnerability in the *Archer MR600 v5* router’s web-based admin interface, tracked as **CVE-2025-14756** with a **CVSS 8.5** rating. The flaw stems from insufficient input sanitization in the admin interface component, enabling a logged-in attacker to execute arbitrary system commands by submitting crafted input via the browser’s developer console; while the injected command length is limited, successful exploitation can still result in service disruption or full device compromise. Affected devices are **Archer MR600 v5** units running firmware versions prior to the fixed release (reported as versions below `v0001.0 Build 250930 Rel.63611n` / older than `1.1.0` and including `0.9.1` and below, depending on versioning notation in the advisory). The reported attack conditions include requiring valid admin credentials and adjacent network access, but the impact is high due to potential complete router takeover; TP-Link’s recommended mitigation is to **apply the latest firmware update immediately**, and one report notes the model is not sold in the United States, potentially limiting exposure there.
Mar 21, 2026