OS Command Injection Vulnerability in TP-Link Archer Routers
CVE-2026-9151

8.5HIGH

What is CVE-2026-9151?

An OS command injection vulnerability exists in the VPN module of specified TP-Link Archer router models. This flaw allows an adjacent, authenticated attacker to execute arbitrary commands on the device by importing a maliciously crafted VPN client configuration file. The vulnerability arises from inadequate filtering of special characters, potentially enabling complete control over the affected device. Successful exploitation may compromise the integrity of configurations, undermine network security, and disrupt service availability.

Affected Version(s)

Archer AX12 V1 0

Archer AX1300 v1.6 0

Archer AX17 v1 0

References

CVSS V4

Score:
8.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Henri Nurmi
.