Flaw in two TP-Link Wi-Fi routers risks full takeover: CVE-2026-5509
TP-Link's Archer BE450 and BE7200 Wi-Fi routers have a flaw (CVE-2026-5509): an admin-logged-in attacker can take over the router. Update the firmware now.
Makoto Horikawa
Backend Engineer / AWS / Django
TP-Link's Archer BE450 and BE7200 Wi-Fi routers have a flaw (CVE-2026-5509): an admin-logged-in attacker can take over the router. Update the firmware now.
Two popular high-speed Wi-Fi routers from TP-Link, the Archer BE450 and Archer BE7200, contain a flaw that lets someone who is already signed into the admin page take full control of the router itself (CVE-2026-5509). It was found by a Japanese security firm, and was published on June 2, 2026 through JVN, Japan's national vulnerability portal, after coordination by JPCERT/CC. Fixed firmware (the software built into the device) is already available, so owners of the affected models can close the hole simply by updating.
One important caveat: this flaw assumes the attacker can already log into the router's admin page. It is not the kind of bug that lets a stranger on the internet take over your router out of the blue. Even so, anyone connected to your Wi-Fi, or any device still running its factory password, can meet the conditions, so it should not be brushed off. This article walks through what happens, how to tell whether your router is affected, and what to do right now.
What the flaw is, at a glance
First, the key facts. The CVSS score (an international 0–10 measure of how serious a flaw is) is 8.5 (High) under the newer v4.0 method and 6.8 under the older v3.1 method. It is not the very top rank because exploitation requires being logged into the admin page, which is subtracted from the severity.
| Item | Detail |
|---|---|
| ID | CVE-2026-5509 (JVNVU#95687008) |
| Affected models | Archer BE450 v1 Archer BE7200 v1 |
| Affected versions | Firmware before 1.3.0 Build 20260416 |
| Flaw type | Command injection (OS command injection, CWE-78) |
| Preconditions | Admin login + same network |
| Severity | CVSS v4.0 8.5 (High) v3.1 6.8 |
| Fixed in | 1.3.0 Build 20260416 or later |
| Reported by | 00One, Inc. Chuya Hayakawa |
"Command injection (OS command injection)" is a classic technique: an attacker sends a specially crafted string into an input field so the device runs a command it was never meant to. According to TP-Link's advisory, in this case a crafted value sent through the browser's "developer tools" (a developer-facing panel that can manipulate the inner workings of a web page) is passed to the router's internal system commands without being properly checked.
Whoever holds the admin key gets a seat watching all your traffic
"You need to be logged in as admin" may sound like it can't involve you, but the person holding that key isn't only your family or coworkers. The people who care about this are a freeloader who slipped onto your free or guest Wi-Fi, an operator sweeping the network for devices still on factory passwords, an insider about to leave a job while still holding the office router's settings, and an attack group looking to combine this hole with another entry point to dig in. What they want is not one router, but everything that flows through it. The moment this hole is used, the attacker can run any command inside the router, and the device slips out of the owner's hands and becomes the attacker's tool.
A router sits at the doorway of a home or office. Control it and you can swap the websites a victim sees for fakes, quietly read their traffic, or plant a back door to return later. The nasty part is that once someone is lodged deep in the firmware, replacing your PCs and phones won't make the problem go away — the snooping continues until the router itself is reset and updated. A hijacked router is also reused as a launch pad for attacks on others or as a source of junk traffic.
The one left to clean up is whoever owns the line. In a home, every family member's internet use becomes a target; in a shop or small office, even customer records and card-payment traffic are exposed. This single weakness is not being hammered from across the globe on its own, but as long as the admin password is a factory default or something simple, that line is crossed all too easily. That is exactly why doing the firmware update and rethinking the admin password now is what decides whether the damage is stopped before it starts.
What the Archer BE450 and BE7200 are
The Archer BE450 and Archer BE7200 are Wi-Fi routers TP-Link sells for homes and small offices. Both are higher-end models supporting the latest Wi-Fi 7 standard (a new wireless method spreading since 2024), popular for connecting many phones and PCs at high speed. TP-Link holds a large share of the global home-router market and sells widely in Japan through electronics retailers and online stores.
The flaw lives in the "admin page you open in a browser" (the screen used to change the router's settings) that every such device has. It is the very settings screen you use to change your Wi-Fi password or check connected devices. Convenient as it is, that screen talks directly to the internal system, so when input checking is loose, it allows command injection like this.
How to check whether your router is affected
The affected models are the "Archer BE450" and "Archer BE7200," when their firmware is older than 1.3.0 Build 20260416. The model name is printed on a label on the bottom or side of the unit, or on the box. To check the firmware version, log into the admin page (often by opening 192.168.0.1 or tplinkwifi.net in a browser) and look under "System Tools" or "Firmware Update." The table below sorts out what to do.
| Your model | Firmware version | Status | What to do now |
|---|---|---|---|
| Archer BE450 Archer BE7200 | Before Build 20260416 | Affected (action needed) | Update firmware + change admin password |
| Archer BE450 Archer BE7200 | Build 20260416 or later | Patched | No further action (confirm version to be safe) |
| Other TP-Link models | — | Not directly affected | Keep automatic updates on |
Note that TP-Link uses many "Archer BE####" names, and even similar-looking names are not affected here — only the BE450 and BE7200 in their v1 (first) hardware. If you're unsure of your model, check the type number on the unit's label. TP-Link has previously disclosed several command-injection flaws across the Archer line, so regular firmware updates on routers are essential.
Inside CVE-2026-5509: commands slip through the developer tools
According to JVN and TP-Link's advisory, a user logged into the admin page can use the browser's developer tools to send a crafted input that is passed to the router's internal system commands without adequate sanitization. The result is that an attacker can run arbitrary OS commands (commands against the device's core) on the router. The classification is command injection (CWE-78).
The CVSS breakdown (v4.0) is AV:A/AC:L/PR:H/UI:N. That means it works "from within the same network (AV:A)," "with low difficulty (AC:L)," "requires admin privileges (PR:H)," and "needs no user interaction (UI:N)." In other words, it is not something a faceless crowd hammers from across the internet; it is the kind of weakness used by someone who can already reach the admin page to bring the device fully under their control. It is rated as affecting confidentiality, integrity, and availability alike (VC:H/VI:H/VA:H).
Affected are the Archer BE450 v1 and BE7200 v1 running firmware older than 1.3.0 Build 20260416. The fixed firmware strengthens the checking of values sent via the developer tools so dangerous commands no longer reach the internals.
Why "login required" still isn't a reason to relax
It's tempting to think "if you need to be admin, it's safe," but on home routers the admin password is often left at its factory default or set to something simple and easy to guess. If an attacker cracks a weak admin password, they can then use this weakness to seize the whole router. Guests on your guest Wi-Fi, or anyone on the same office network, can also reach the admin page given the right conditions.
More worrying is a "chained attack" combining this with another flaw. If a separate bug that bypasses the admin login were found, linking it with this command injection makes "vault the login wall, then take over the router" a realistic path. TP-Link routers have previously had authentication-bypass and command-injection flaws reported, and shared router-component flaws keep appearing too. "Login required" does not mean "safe to ignore" — applying the fix promptly once it's out is the safer call.
✓ Confirmed facts
- ✓On Archer BE450 v1 / BE7200 v1, an admin-logged-in user can run arbitrary OS commands (JVNVU#95687008)
- ✓Fixed firmware 1.3.0 Build 20260416 or later is available (TP-Link)
- ✓Reported by Chuya Hayakawa of the Japanese security firm 00One, Inc.
? Not yet confirmed
- ?Any real-world exploitation — as of this article, no exploit reports or public exploit code have been confirmed, and it is not in the U.S. CISA "Known Exploited Vulnerabilities" (KEV) list
- ?How many affected units are in use — no public data on Archer BE450 / BE7200 shipments or active units has been confirmed
How it came to light
Here is the timeline from the Japanese researcher's report to the vendor fix and the domestic disclosure.
← swipe to move
What to do now
The top priority is updating the Archer BE450 / BE7200 firmware to 1.3.0 Build 20260416 or later. Log into the admin page and apply the latest version from the "Firmware Update" section. You can also update from TP-Link's smartphone app (Tether / Deco). If an automatic-update option exists, turn it on so you're less likely to miss future fixes.
In addition, change the router's admin password from its default to something hard to guess. Because this weakness depends on being able to reach the admin page, simply hardening the login raises the bar for exploitation considerably. If you run a separate guest Wi-Fi, confirm that guest-network users cannot reach the admin page. And if you don't use remote management (the feature that lets you open the settings page from outside), turn it off to be safe.
Home-router flaws have been arriving in waves across vendors lately. As covered in the NEC Aterm flaws and the dnsmasq router-component flaws, routers tend to be "set and forget," but regular firmware updates are the best defense. To track flaws in widely used products in Japan, see our roundup of major 2026 vulnerabilities.
FAQ
Q. Can my router be taken over from the internet without warning?
A. No. This weakness requires being able to log into the router's admin page and being on the same network. It is not the kind that a stranger hammers from across the line. That said, if the admin password is a default or something simple, or if it's combined with another flaw, the conditions can line up — so update promptly.
Q. How do I check whether my router is affected?
A. First confirm the type number on the unit's label is "Archer BE450" or "Archer BE7200." If so, log into the admin page and check the firmware version; if it's older than "1.3.0 Build 20260416," it's affected. Updating to the latest version completes the fix.
Q. I'm worried it's already compromised. What should I look at?
A. As of this article there are no reports of exploitation. If you're still concerned, the surest path is to update the firmware, then factory-reset the router and re-set the admin and Wi-Fi passwords. Also check the settings page for any unfamiliar DNS servers or forwarding rules.
Q. Are TP-Link routers other than these two models safe?
A. The direct scope of CVE-2026-5509 is the Archer BE450 v1 and BE7200 v1. However, TP-Link has disclosed command-injection and authentication-bypass flaws on other models too, so we recommend keeping automatic firmware updates on regardless of model.
Summary
CVE-2026-5509, found in TP-Link's Wi-Fi 7 routers Archer BE450 and BE7200, lets someone logged into the admin page run arbitrary commands on the router and take it over. The CVSS is 8.5 (High) under v4.0. It is not hammered one-sidedly from across the internet, but it becomes a real threat if you're still on a default password or it's chained with another flaw. Acting on the report from the Japanese security firm 00One, Inc., TP-Link has released fixed firmware 1.3.0 Build 20260416 or later. If you own an affected model, update the firmware and revisit the admin password soon. A router is the doorway between your home and the internet. Keeping that doorway solid is the surest single move to protect your family's — or your customers' — traffic.