CVE-2026-5509
Modified Modified - Updated After Analysis
Authenticated Command Injection in TP-Link Archer BE450 and BE7200 Routers

Publication date: 2026-05-27

Last updated on: 2026-06-02

Assigner: TPLink

Description
An authenticated command injection vulnerability exists in the Archer BE450 v1 and BE7200 v1 router that allows an administrator to execute arbitrary system commands through the web management interface. After successfully authenticating to the admin interface, an attacker can leverage the browser’s developer console by supplying a crafted input that is passed to backend system commands without adequate sanitization. Successful exploitation enables execution of arbitrary commands with elevated privileges on the device, which may allow the attacker to start unauthorized services, modify system configuration, or otherwise fully compromise the router’s operating environment.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-02
Generated
2026-06-17
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5509
EUVD
EUVD-2026-32611
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
tp-link archer_be450_firmware to 1.3.0 (exc)
tp-link archer_be7200_firmware to 1.3.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an authenticated command injection flaw found in the Archer BE450 v1 and BE7200 v1 routers. It allows an attacker who has administrator access to the router's web management interface to execute arbitrary system commands. The attacker can use the browser's developer console to supply specially crafted input that is passed to backend system commands without proper sanitization.

Because the input is not adequately sanitized, the attacker can run commands with elevated privileges on the device, potentially taking full control of the router's operating environment.

Impact Analysis

Exploiting this vulnerability can have serious impacts, including allowing an attacker to execute arbitrary commands with high privileges on the affected router.

  • Starting unauthorized services on the device.
  • Modifying system configurations.
  • Fully compromising the router's operating environment.
Mitigation Strategies

To mitigate the CVE-2026-5509 vulnerability, users should immediately update the firmware of their Archer BE450 v1 and BE7200 v1 routers to version 1.3.0 Build 20260416 or later.

This firmware update addresses multiple security vulnerabilities including this command injection flaw, improves system stability, and adds new features.

It is strongly recommended to download the firmware update from the official TP-Link regional website and perform the upgrade locally to avoid warranty voidance or device damage.

Applying the update promptly is crucial as unpatched devices remain vulnerable to exploitation.

Compliance Impact

The provided information does not specify how CVE-2026-5509 affects compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability requires authenticated access to the router's web management interface and involves command injection via crafted inputs in the browser's developer console. Detection typically involves verifying the firmware version of the affected devices.

To detect if your device is vulnerable, check if the router is an Archer BE450 v1 or BE7200 v1 running firmware versions prior to 1.3.0 Build 20260416. Devices with firmware versions older than this are susceptible.

There are no specific commands provided in the available resources to detect exploitation or presence of this vulnerability directly on the network or system.

As a practical step, you can log into the router's admin interface and check the firmware version using the router's status or system information page.

If you have shell access or can run commands on the device (which is generally not recommended unless you have proper authorization), you might check for unauthorized services or configuration changes that could indicate exploitation, but no explicit commands are provided in the resources.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5509. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart