OS Command Injection Vulnerability in TP-Link Archer Routers
CVE-2026-9151
8.5HIGH
Key Information:
- Vendor
Tp-link Systems Inc.
- Vendor
- CVE Published:
- 10 June 2026
What is CVE-2026-9151?
An OS command injection vulnerability exists in the VPN module of specified TP-Link Archer router models. This flaw allows an adjacent, authenticated attacker to execute arbitrary commands on the device by importing a maliciously crafted VPN client configuration file. The vulnerability arises from inadequate filtering of special characters, potentially enabling complete control over the affected device. Successful exploitation may compromise the integrity of configurations, undermine network security, and disrupt service availability.
Affected Version(s)
Archer AX12 V1 0
Archer AX1300 v1.6 0
Archer AX17 v1 0
