Vulnerabilities ›

CVE-2026-0630

High

An OS Command Injection vulnerability in TP-Link Archer BE230 v1.2(web modules) allows adjacent authenticated attacker to execute arbitrary code. Successful exploitation could allow an attacker to

CWE-78 — Weakness Type

                    Published: Feb 2, 2026                      ·  Modified: Feb 28, 2026                      ·  Source: NVD                

CVSS v3

8.0

🔗 NVD Official

📄 Description (English)

An OS Command Injection vulnerability in TP-Link Archer BE230 v1.2(web modules) allows adjacent

authenticated

attacker to execute arbitrary code. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability.

This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID.This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420.

🤖 AI Executive Summary

CVE-2026-0630 is a critical OS command injection vulnerability in TP-Link Archer BE230 v1.2 firmware that allows authenticated adjacent attackers to execute arbitrary code and gain full administrative control. The vulnerability affects firmware versions prior to 1.2.4 Build 20251218 rel.70420 and poses severe risks to network infrastructure, configuration integrity, and service availability. A patch is available, making immediate remediation feasible for affected organizations.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: Apr 26, 2026 16:02

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability poses significant risk to Saudi organizations utilizing TP-Link Archer BE230 routers in enterprise and critical infrastructure environments. Primary impact sectors include: Banking and Financial Services (SAMA-regulated institutions using these devices for network segmentation), Government agencies and NCA-regulated entities, Telecommunications providers (STC, Mobily, Zain) managing network infrastructure, Healthcare facilities (MOH) with connected medical networks, Energy sector (ARAMCO, SEC) with industrial control networks, and Educational institutions. The vulnerability's requirement for adjacent authenticated access limits exposure but remains critical for organizations with guest networks or compromised internal credentials. Successful exploitation could lead to network compromise, data exfiltration, lateral movement, and disruption of critical services.

🏢 Affected Saudi Sectors

Banking and Financial Services Government and Public Administration Telecommunications Healthcare Energy and Utilities Education Critical Infrastructure Retail and E-commerce

🎯 MITRE ATT&CK Techniques

T1059 - Command and Scripting Interpreter T1059.004 - Unix Shell T1078 - Valid Accounts T1190 - Exploit Public-Facing Application T1548 - Abuse Elevation Control Mechanism T1548.004 - Elevated Execution with Prompt T1133 - External Remote Services T1021 - Remote Services T1021.004 - SSH T1021.001 - Remote Desktop Protocol

⚖️ Saudi Risk Score (AI)

7.8

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Identify all TP-Link Archer BE230 devices running firmware v1.2 < 1.2.4 Build 20251218 rel.70420 in your network inventory

2. Restrict administrative access to affected devices to authorized personnel only

3. Disable remote management features if not operationally required

4. Implement network segmentation to isolate affected routers from critical systems

5. Monitor device logs for suspicious command execution patterns

PATCHING GUIDANCE:

1. Download firmware version 1.2.4 Build 20251218 rel.70420 or later from TP-Link official support portal

2. Backup current device configuration before firmware update

3. Apply firmware update through device web interface (System Tools > Firmware Upgrade)

4. Verify successful update by checking firmware version in System Settings

5. Test network connectivity and service availability post-update

6. Document patch deployment in change management system

COMPENSATING CONTROLS (if immediate patching not possible):

1. Implement network access controls (NAC) to restrict device access to authorized MAC addresses

2. Deploy intrusion detection/prevention systems (IDS/IPS) to monitor for command injection patterns

3. Implement command execution monitoring and alerting on the device

4. Restrict SSH/Telnet access to device management interfaces

5. Enable device audit logging and forward logs to centralized SIEM

DETECTION RULES:

1. Monitor for HTTP POST requests to device web interface with suspicious parameters containing shell metacharacters (|, ;, &, $, `, etc.)

2. Alert on unexpected process execution from web server processes (httpd, lighttpd)

3. Monitor system logs for unauthorized command execution with elevated privileges

4. Track failed and successful authentication attempts to device management interfaces

5. Implement YARA rules to detect command injection payloads in network traffic

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تحديد جميع أجهزة TP-Link Archer BE230 التي تعمل بالبرنامج الثابت v1.2 < 1.2.4 Build 20251218 rel.70420 في جرد الشبكة الخاص بك

2. تقييد الوصول الإداري إلى الأجهزة المتأثرة للموظفين المصرحين فقط

3. تعطيل ميزات الإدارة البعيدة إذا لم تكن مطلوبة تشغيليًا

4. تنفيذ تقسيم الشبكة لعزل أجهزة التوجيه المتأثرة عن الأنظمة الحرجة

5. مراقبة سجلات الجهاز للبحث عن أنماط تنفيذ الأوامر المريبة

إرشادات التصحيح:

1. تحميل إصدار البرنامج الثابت 1.2.4 Build 20251218 rel.70420 أو أحدث من بوابة دعم TP-Link الرسمية

2. نسخ احتياطي لإعدادات الجهاز الحالية قبل تحديث البرنامج الثابت

3. تطبيق تحديث البرنامج الثابت من خلال واجهة الويب للجهاز (أدوات النظام > ترقية البرنامج الثابت)

4. التحقق من نجاح التحديث بفحص إصدار البرنامج الثابت في إعدادات النظام

5. اختبار اتصال الشبكة وتوفر الخدمة بعد التحديث

6. توثيق نشر التصحيح في نظام إدارة التغييرات

الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكنًا):

1. تنفيذ ضوابط الوصول إلى الشبكة (NAC) لتقييد وصول الجهاز إلى عناوين MAC المصرح بها

2. نشر أنظمة الكشف/الوقاية من الاختراق (IDS/IPS) لمراقبة أنماط حقن الأوامر

3. تنفيذ مراقبة تنفيذ الأوامر والتنبيهات على الجهاز

4. تقييد وصول SSH/Telnet إلى واجهات إدارة الجهاز

5. تفعيل تسجيل تدقيق الجهاز وإعادة توجيه السجلات إلى SIEM المركزي

قواعد الكشف:

1. مراقبة طلبات HTTP POST إلى واجهة الويب للجهاز بمعاملات مريبة تحتوي على أحرف shell (|، ;، &، $، `، إلخ)

2. التنبيه على تنفيذ العمليات غير المتوقعة من عمليات خادم الويب (httpd، lighttpd)

3. مراقبة سجلات النظام لتنفيذ الأوامر غير المصرح به بامتيازات مرتفعة

4. تتبع محاولات المصادقة الفاشلة والناجحة لواجهات إدارة الجهاز

5. تنفيذ قواعد YARA للكشف عن حمولات حقن الأوامر في حركة المرور على الشبكة

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.5.1.1 - Information Security Policies and Procedures ECC 2024 A.5.2.1 - Access Control and Authentication ECC 2024 A.5.2.2 - User Access Management ECC 2024 A.5.3.1 - Cryptography and Encryption ECC 2024 A.5.4.1 - Logging and Monitoring ECC 2024 A.5.5.1 - Vulnerability Management ECC 2024 A.5.6.1 - Incident Response

🔵 SAMA CSF

SAMA CSF Governance - Risk Management Framework SAMA CSF Identify - Asset Management and Inventory SAMA CSF Protect - Access Control and Authentication SAMA CSF Detect - Monitoring and Detection SAMA CSF Respond - Incident Response Procedures SAMA CSF Recover - Business Continuity

🟡 ISO 27001:2022

ISO 27001:2022 A.5.1 - Policies for Information Security ISO 27001:2022 A.5.2 - Information Security Roles and Responsibilities ISO 27001:2022 A.5.3 - Segregation of Duties ISO 27001:2022 A.5.15 - Access Control ISO 27001:2022 A.5.16 - Cryptography ISO 27001:2022 A.5.23 - Information Security for Supplier Relationships ISO 27001:2022 A.8.1 - User Endpoint Devices ISO 27001:2022 A.8.2 - Privileged Access Rights ISO 27001:2022 A.8.3 - Information Access Restriction ISO 27001:2022 A.8.6 - Access Control to Networks and Network Services

🟣 PCI DSS v4.0.1

PCI DSS 1.1 - Firewall Configuration Standards PCI DSS 2.1 - Default Passwords and Security Parameters PCI DSS 2.2 - Configuration Standards for System Components PCI DSS 2.4 - Document and Implement Security Configuration Standards PCI DSS 6.2 - Security Patches and Updates PCI DSS 10.1 - Implement Automated Audit Trails PCI DSS 11.2 - Vulnerability Scanning

🔗 References & Sources 4

🔗

https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware

f23511db-6c3e-4e32-a477-6aa17d310630

Product

🔗

https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware

f23511db-6c3e-4e32-a477-6aa17d310630

Product

🔗

https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware

f23511db-6c3e-4e32-a477-6aa17d310630

Product

🔗

https://www.tp-link.com/us/support/faq/4935/

f23511db-6c3e-4e32-a477-6aa17d310630

Vendor Advisory Patch

📦 Affected Products / CPE 1 entries

tp-link:archer_be230_firmware

📊 CVSS Score

8.0

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorA — Adjacent

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score8.0

CWECWE-78

EPSS0.13%

Exploit No

Patch ✓ Yes

Published 2026-02-02

Source Feed nvd

🇸🇦 Saudi Risk Score

7.8

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

patch-available CWE-78

🏢 Vendor Advisories

🔗 https://www.tp-link.com/us/support/faq/4935/

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-0630

💬 Comments

Introduce Yourself

Sign In Required