HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-9151Published Modified CNA TPLink

CVE-2026-9151: Command Injection Vulnerability in OpenVPN on Multiple TP-Link Archer Routers

An OS command injection vulnerability exists in the VPN module of TP-Link Archer AX12 v1, AX17 v1. AX18 v1, and AX1300 v1.6 routers. This vulnerability allows an adjacent, authenticated attacker to execute arbitrary commands on the device by importing a specially crafted VPN client configuration file. The issue stems from improper filtering of special characters.  Successful exploitation of this vulnerability may enable an attacker to gain full control of the affected device, potentially compromising configuration integrity, network security, and service availability.

Metrics

CVSS v4.0
8.5
Severity
HIGH
Fixed in
V1_1.5.0 Build 20260605
Affected Products
4

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An OS command injection vulnerability exists in the VPN module of multiple TP-Link Archer routers (AX12 v1, AX17 v1, AX18 v1, and AX1300 v1.6). The flaw is reachable from an adjacent network segment and requires the attacker to be authenticated with administrative credentials; exploitation is triggered by importing a specially crafted OpenVPN client configuration file containing unfiltered special characters. Successful exploitation gives the attacker arbitrary OS command execution on the device, enabling full control over configuration, connected network traffic, and service availability. A patched-image rebuild at firmware version V1_1.5.0 Build 20260605 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle affected TP-Link firmware components. Any image layer containing a vulnerable firmware version is flagged immediately upon the next pipeline scan or registry push.

Available
Triage

HarborGuard scores this finding at CVSS 8.5 (High) using the published v4.0 vector and weights it against each environment's compliance policy to prioritize routing. Findings are automatically routed to the appropriate team inbox within the customer organization based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild targeting firmware version V1_1.5.0 Build 20260605 becomes available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against the affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityDetail

    The attacker must be present on the same adjacent network segment, such as a LAN or VPN, rather than reaching the device from an arbitrary point on the internet.

  • AuthenticationRequired

    The attacker must hold an administrative account on the router; low-privilege credentials are not sufficient to access the VPN configuration import function.

  • Victim interactionNot required

    No user action or social engineering is needed; the attacker triggers execution directly by submitting the malicious configuration file.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; no race conditions, memory layout dependencies, or environmental preconditions are required beyond network adjacency and admin credentials.

Blast Radius

  • The attacker gains arbitrary OS command execution on the router and takes full administrative control of the device.
  • Stored router configuration, including credentials, VPN keys, and firewall rules, is readable and modifiable by the attacker.
  • The attacker can redirect, inspect, or drop all network traffic passing through the device, compromising the security of every host on the connected LAN.
  • The router's routing and VPN services can be disrupted or disabled, causing a loss of network connectivity for all attached clients.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-9151 is active across all scanning pipelines and will flag any image containing components tied to the affected firmware versions (Archer AX12 v1, AX17 v1, AX18 v1, AX1300 v1.6 prior to V1_1.5.0 Build 20260605). Because this is rated High severity, environments with auto-remediation enabled are eligible for an expedited rebuild-and-PR flow; for high-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy permits, HarborGuard will rebuild the image at the patched firmware version, run a regression test pass, and open a pull request against affected workloads without manual intervention. For environments where auto-remediation is not enabled, the finding is surfaced in the HarborGuard dashboard with the fix version cited, allowing engineering teams to act directly. Given that exploitation requires adjacent-network access and admin credentials, customers should also consider enforcing network-policy isolation on management interfaces and auditing which accounts hold router admin privileges as compensating controls while rollout of the patched firmware is completed.

See how HarborGuard automates this

Fix available

V1_1.5.0 Build 20260605
Patch commits
Affected packages
  • TP-Link Systems Inc. / Archer AX12 V1
    < V1_1.5.0 Build 20260605 (from 0)
  • TP-Link Systems Inc. / Archer AX18 v1
    < V1_1.5.0 Build 20260605 (from 0)
  • TP Link Systems Inc. / Archer AX17 v1
    < V1_1.5.0 Build 20260605 (from 0)
  • TP-Link Systems Inc. / Archer AX1300 v1.6
    < V1_1.5.0 Build 20260605 (from 0)
CVSS Vector
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L
References