TP-Link Vulnerabilities Let Hackers Take Full Control of Devices

TP-Link disclosed nine critical authenticated command-injection vulnerabilities in Archer BE230 v1.2 firmware (pre-1.2.4 Build 20251218) affecting web, VPN, cloud, and configuration components; eight require adjacent network access with high privileges while CVE-2026-22229 is remotely exploitable via crafted configuration import. CVSS v4.0 scores are 8.5–8.6, successful exploitation can yield full administrative control of devices, and TP-Link issued firmware 1.2.4 Build 20251218 on 2026-02-02 to patch the flaws.