HarborGuard / CVE
Back to search
HIGHCVE-2026-5509Published Modified CNA TPLink

CVE-2026-5509: Arbitrary Command Injection via Browser Developer Console in TP-Link Archer BE450 and BE7200

An authenticated command injection vulnerability exists in the Archer BE450 v1 and BE7200 v1 router that allows an administrator to execute arbitrary system commands through the web management interface. After successfully authenticating to the admin interface, an attacker can leverage the browser’s developer console by supplying a crafted input that is passed to backend system commands without adequate sanitization. Successful exploitation enables execution of arbitrary commands with elevated privileges on the device, which may allow the attacker to start unauthorized services, modify system configuration, or otherwise fully compromise the router’s operating environment.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An authenticated command injection vulnerability affects the TP-Link Archer BE450 v1 and BE7200 v1 routers. The vulnerability is reachable over an adjacent network and requires a valid administrator account; an attacker uses the browser developer console to supply crafted input that reaches backend system commands without adequate sanitization. Successful exploitation gives the attacker arbitrary command execution with elevated privileges on the device, enabling full compromise of the router's operating environment. A patched-image rebuild at version 1.3.0 Build 20260416 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection for CVE-2026-5509 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of upstream publication. Coverage extends to custom-built images that include affected TP-Link Archer firmware components.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 8.5 (HIGH) and weighting findings against each customer environment's compliance policy to determine urgency. Triage routing to the appropriate team inbox within each customer organization is available automatically based on policy configuration.

Available
Patch

A patched-image rebuild at version 1.3.0 Build 20260416 becomes available on HarborGuard for any environment running an affected version of the Archer BE450 v1 or BE7200 v1 firmware image. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run a regression test suite, and open a pull request against affected workloads without manual intervention.

Available

Exploit Conditions

  • Network reachabilityDetail

    The attacker must be on the same local network segment, LAN, or VPN as the targeted device; remote internet-based exploitation is not possible with this vector.

  • AuthenticationRequired

    A valid administrator account on the router's web management interface is required before the injection can be attempted.

  • Victim interactionNot required

    No action by any other user or victim is needed once the attacker has authenticated to the admin interface.

  • Attack complexityDetail

    Exploitation is reliable and condition-free once adjacency and credentials are satisfied, with no race conditions or special environmental factors required.

Blast Radius

  • Attacker executes arbitrary system commands with elevated privileges on the router, gaining full control over the device's operating environment.
  • Attacker can start unauthorized services or establish persistent backdoors on the device.
  • Attacker can modify system configuration, including routing rules, DNS settings, and firewall policies, affecting all traffic passing through the router.
  • All three impact dimensions (confidentiality, integrity, and availability) on the vulnerable component are fully compromised, meaning stored credentials, configuration data, and device availability are all at risk.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-5509 is active against customer images as soon as the CVE enters upstream feeds, with no manual configuration required. For environments confirmed to be running an affected version of the Archer BE450 v1 or BE7200 v1 firmware image, a rebuild at the fixed version (1.3.0 Build 20260416) is available. Where compliance policy permits auto-remediation, HarborGuard can execute the full rebuild-and-PR flow automatically; the median time from CVE publication to a merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. For environments where auto-remediation is not enabled, HarborGuard surfaces the finding with CVSS scoring and compliance context so the responsible team can act manually. Given the adjacent-network attack vector, customers running this firmware in segmented or VPN-accessible environments should treat the exposure as elevated and prioritize the upgrade to 1.3.0 Build 20260416.

See how HarborGuard automates this

Metrics

CVSS v4.0
8.5
Severity
HIGH
Fixed in
1.3.0 Build 20260416
Affected Products
2

Fix available

1.3.0 Build 20260416
Patch commits
Affected packages
  • TP-Link Systems Inc. / Archer BE7200 V1
    < 1.3.0 Build 20260416 (from 0)
  • TP-Link Systems Inc. / Archer BE450 v1
    < 1.3.0 Build 20260416 (from 0)
CVSS Vector
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References