Published:2026/06/02  Last Updated:2026/06/02

JVNVU#95687008
TP-Link Archer BE450 and BE7200 vulnerable to OS command injection

Overview

Archer BE450 and BE7200 provided by TP-Link contain an OS command injection vulnerability.

Products Affected

  • Archer BE450 v1 firmware versions prior to 1.3.0 Build 20260416
  • Archer BE7200 v1 firmware versions prior to 1.3.0 Build 20260416

Description

Archer BE450 and BE7200 provided by TP-Link contain the following vulnerability.

  • OS command injection (CWE-78)
    • CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 8.5
    • CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score 6.8

Impact

An arbitrary OS command may be executed by an attacker who logged into the admin interface.

Solution

Update the Firmware
Update the firmware to the latest version according to the information provided by the developer.

Vendor Status

Vendor Link
TP-Link Systems Inc. Security Advisory on Arbitrary Command Injection via Browser Developer Console in TP-Link’s Archer BE450 and BE7200 (CVE-2026-5509)

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Chuya Hayakawa of 00One, Inc. reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE
JVN iPedia