CVE-2026-5509: Archer Router Command Injection Vulnerability

CVE-2026-5509 Overview

CVE-2026-5509 is an authenticated command injection vulnerability affecting the TP-Link Archer BE450 v1 and Archer BE7200 v1 routers. The flaw resides in the web management interface, where administrator-supplied input is passed to backend system commands without adequate sanitization. An authenticated attacker on the adjacent network can leverage the browser developer console to inject crafted payloads. Successful exploitation grants arbitrary command execution with elevated privileges on the device. This allows an attacker to start unauthorized services, modify router configuration, or fully compromise the underlying operating environment. The weakness is categorized under [CWE-20] Improper Input Validation.

Critical Impact

Authenticated administrators on the adjacent network can execute arbitrary OS commands with elevated privileges, leading to full compromise of the router’s operating environment.

Affected Products

• TP-Link Archer BE450 v1
• TP-Link Archer BE7200 v1
• Web management interface firmware versions prior to the vendor-issued fix

Discovery Timeline

• 2026-05-27 - CVE-2026-5509 published to NVD
• 2026-05-27 - Last updated in NVD database

Technical Details for CVE-2026-5509

Vulnerability Analysis

The vulnerability exists in the administrative web interface of the Archer BE450 v1 and BE7200 v1 routers. Backend handlers accept parameters from authenticated administrator sessions and pass them into system command execution without proper input validation or sanitization. An attacker who has already authenticated to the admin interface can use the browser developer console to issue requests containing shell metacharacters. These metacharacters break out of the intended command context and append attacker-controlled commands. Because the router’s web service runs with elevated privileges, injected commands execute in the same privileged context. This converts an administrator account compromise into full control of the router operating system.

Root Cause

The root cause is improper input validation [CWE-20] in handlers that construct shell command strings from user-supplied parameters. The application concatenates input directly into system commands without escaping or allowlisting permitted characters. No secondary boundary, such as parameterized execution or a restricted shell, mitigates the unsafe concatenation.

Attack Vector

The attack vector is Adjacent Network. An attacker must first obtain valid administrator credentials and reach the router’s management interface. After authenticating, the attacker uses the browser developer console to craft and send a request to a vulnerable endpoint, embedding shell metacharacters in a parameter. The backend processes the request and executes the injected commands with elevated privileges. Refer to the TP-Link Archer BE450 Firmware advisory and TP-Link FAQ #5102 for vendor technical details.

Detection Methods for CVE-2026-5509

Indicators of Compromise

• Unexpected child processes spawned by the router web management service, particularly shells such as sh or busybox invoked from HTTP handlers.
• Administrative HTTP or HTTPS requests to management endpoints containing shell metacharacters such as ;, |, &&, backticks, or $() in parameter values.
• New or unauthorized services, cron entries, or listening ports appearing on the router after admin sessions.
• Outbound connections from the router to unfamiliar hosts following administrator logins.

Detection Strategies

• Inspect router system logs for command execution events that correlate with administrator web sessions and unusual parameter content.
• Monitor network traffic to and from the router management interface from adjacent network segments for anomalous request patterns.
• Compare running configuration and service inventory against a known-good baseline to identify unauthorized changes.

Monitoring Recommendations

• Forward router syslog data to a central logging or SIEM platform and alert on shell metacharacters in management URLs and POST bodies.
• Track administrator authentication events and flag sessions originating from unexpected adjacent network locations.
• Audit firmware version and configuration state on a recurring schedule to detect tampering.

How to Mitigate CVE-2026-5509

Immediate Actions Required

• Apply the latest firmware updates from TP-Link for the Archer BE450 v1 and Archer BE7200 v1 as soon as they are available from the vendor download portal.
• Rotate administrator credentials on affected routers and enforce strong, unique passwords.
• Restrict access to the web management interface to trusted management VLANs or hosts only.
• Disable remote management on the WAN interface unless explicitly required.

Patch Information

TP-Link publishes firmware updates for affected models on its support portal. Refer to the TP-Link Archer BE450 Firmware page, the TP-Link Archer BE450 Firmware (JP) page, and the TP-Link Archer BE7200 Firmware page. Additional guidance is available in TP-Link FAQ #5102.

Workarounds

• Limit administrative access to the router web interface to a dedicated management network segment.
• Require multi-factor or out-of-band authentication for any administrator account where supported by the platform.
• Monitor and alert on administrator logins and configuration changes until patched firmware is deployed.

# Configuration example: restrict management interface exposure
# Disable WAN-side remote management and bind admin UI to LAN only
# (Apply via the router web UI under System Tools > Administration)
# 1. Remote Management: Disabled
# 2. Local Management: Allow only specified MAC/IP addresses on management VLAN
# 3. HTTPS Management: Enabled, HTTP redirect to HTTPS