TP-Link Archer Routers Patched for Command Injection and Multiple Security Flaws
TP-Link has disclosed and patched a high-severity authenticated command injection flaw, CVE-2026-5509, affecting Archer BE450 v1 and BE7200 v1 routers. The vulnerability in the web management interface carries a CVSS 8.5 score and can let an attacker who has already gained administrative access execute arbitrary system commands, potentially leading to elevated privileges, configuration tampering, unauthorized service execution, and interception of sensitive network traffic. TP-Link said devices running firmware earlier than 1.3.0 Build 20260416 are vulnerable and urged customers to install the latest firmware from its regional support portals.
The disclosure follows broader reporting on security weaknesses affecting TP-Link Archer NX routers, adding to concerns over exploitable flaws in the vendor’s consumer networking lineup. Together, the reports highlight continued risk in internet-facing router management functions, where compromised credentials or prior access can turn web interface bugs into full device compromise. Organizations and home users using affected Archer models should verify firmware versions, restrict administrative access, and apply vendor updates immediately.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
TP-Link releases firmware fix for CVE-2026-5509
TP-Link released a firmware update to address CVE-2026-5509 and indicated that devices running versions below 1.3.0 Build 20260416 are vulnerable. Administrators were advised to install the official update from TP-Link's regional portal.
TP-Link discloses CVE-2026-5509 affecting Archer BE450 and BE7200 routers
TP-Link disclosed CVE-2026-5509, an authenticated command injection vulnerability in the web management interface affecting Archer BE450 v1 and BE7200 v1 routers. The flaw can allow arbitrary system command execution with elevated privileges after access to the administrative panel is obtained.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Command Injection Flaws Expose TP-Link Archer NX Routers to Admin-Level RCE
TP-Link Archer `NX200`, `NX210`, `NX500`, and `NX600` routers are affected by two high-severity command injection vulnerabilities, tracked as **CVE-2025-15518** and **CVE-2025-15519**. The flaws stem from improper input handling in administrative CLI functions: one in a wireless-control command and the other in a modem-management command. In both cases, crafted input can be incorporated into operating system commands, enabling arbitrary command execution on the underlying device. The vulnerabilities require an authenticated attacker with administrative privileges, but successful exploitation could compromise the **confidentiality, integrity, and availability** of affected routers. Both issues are classified as `CWE-78` and were published as new CVE records with high-impact `CVSS v4.0` scoring. The CVE entries point users to TP-Link firmware download pages and support documentation for remediation guidance.
Mar 23, 2026
TP-Link Archer NX Routers Patched for Firmware Takeover and Config Decryption Flaws
TP-Link released firmware updates for **Archer NX200, NX210, NX500, and NX600** routers to address multiple high-severity vulnerabilities, including **`CVE-2025-15517`**, an authentication bypass issue that could let an unauthenticated attacker upload malicious firmware and carry out privileged configuration changes. The flaws affect the Archer NX product line and prompted TP-Link to urge customers to install the latest firmware immediately. The updates also fix **`CVE-2025-15605`**, a **hardcoded cryptographic key** weakness mapped to **`CWE-321`**. That flaw allows an authenticated attacker to decrypt router configuration files, alter them, and re-encrypt them, compromising the confidentiality and integrity of stored settings. Reporting on the patches comes amid broader scrutiny of TP-Link devices, including prior CISA action on other TP-Link router vulnerabilities and wider regulatory attention on foreign-made consumer networking equipment.
Mar 26, 2026
TP-Link Archer AX53 Flaws Enable Command Injection via OpenVPN and dnsmasq
TP-Link Archer AX53 v1.0 routers were found to contain two high-severity OS command injection vulnerabilities, tracked as **`CVE-2026-30815`** and **`CVE-2026-30818`**, affecting the device's OpenVPN and dnsmasq modules. In both cases, an authenticated attacker on an adjacent network can supply a specially crafted configuration file to trigger arbitrary command execution because of insufficient input validation, a weakness classified as **`CWE-78`**. Successful exploitation could let an attacker alter router configuration, access sensitive information, and undermine overall device integrity and availability. The flaws affect Archer AX53 v1.0 firmware releases prior to **`1.7.1 Build 20260213`**, and the CVSS v4.0 assessments indicate low attack complexity under adjacent-network conditions with high impact across confidentiality, integrity, and availability.
May 25, 2026