CVE-2026-9151

An OS command injection vulnerability exists in the VPN module of TP-Link Archer AX12 v1, AX17 v1. AX18 v1, and AX1300 v1.6 routers. This vulnerability allows an adjacent, authenticated attacker to execute arbitrary commands on the device by importing a specially crafted VPN client configuration file. The issue stems from improper filtering of special characters. Successful exploitation of this vulnerability may enable an attacker to gain full control of the affected device, potentially compromising configuration integrity, network security, and service availability.

CVSS

No CVSS.

References

Link	Resource
https://www.tp-link.com/en/support/download/archer-ax12/#Firmware
https://www.tp-link.com/en/support/download/archer-ax17/#Firmware
https://www.tp-link.com/en/support/download/archer-ax18/#Firmware
https://www.tp-link.com/us/support/download/archer-ax1300/#Firmware
https://www.tp-link.com/us/support/faq/5125/

Configurations

No configuration.

History

10 Jun 2026, 18:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-06-10 18:17

Updated : 2026-06-17 11:04

NVD link : CVE-2026-9151

Mitre link : CVE-2026-9151

CVE.ORG link : CVE-2026-9151

JSON object : View

Products Affected

No product.

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2026-9151", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-9151", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "no"}, {"technicalImpact": "total"}], "version": "2.0.3", "timestamp": "2026-06-10T00:00:00+00:00"}}], "cvssMetricV40": [{"type": "Secondary", "source": "f23511db-6c3e-4e32-a477-6aa17d310630", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.5, "Automatable": "NOT_DEFINED", "attackVector": "ADJACENT", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "affected": [{"source": "f23511db-6c3e-4e32-a477-6aa17d310630", "affectedData": [{"vendor": "TP-Link Systems Inc.", "modules": ["openvpn"], "product": "Archer AX12 V1", "versions": [{"status": "affected", "version": "0", "lessThan": "V1_1.5.0 Build 20260605", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "TP-Link Systems Inc.", "product": "Archer AX18 v1", "versions": [{"status": "affected", "version": "0", "lessThan": "V1_1.5.0 Build 20260605", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "TP Link Systems Inc.", "product": "Archer AX17 v1", "versions": [{"status": "affected", "version": "0", "lessThan": "V1_1.5.0 Build 20260605", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "TP-Link Systems Inc.", "product": "Archer AX1300 v1.6", "versions": [{"status": "affected", "version": "0", "lessThan": "V1_1.5.0 Build 20260605", "versionType": "custom"}], "defaultStatus": "unaffected"}]}], "published": "2026-06-10T18:17:15.637", "references": [{"url": "https://www.tp-link.com/en/support/download/archer-ax12/#Firmware", "source": "f23511db-6c3e-4e32-a477-6aa17d310630"}, {"url": "https://www.tp-link.com/en/support/download/archer-ax17/#Firmware", "source": "f23511db-6c3e-4e32-a477-6aa17d310630"}, {"url": "https://www.tp-link.com/en/support/download/archer-ax18/#Firmware", "source": "f23511db-6c3e-4e32-a477-6aa17d310630"}, {"url": "https://www.tp-link.com/us/support/download/archer-ax1300/#Firmware", "source": "f23511db-6c3e-4e32-a477-6aa17d310630"}, {"url": "https://www.tp-link.com/us/support/faq/5125/", "source": "f23511db-6c3e-4e32-a477-6aa17d310630"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "f23511db-6c3e-4e32-a477-6aa17d310630", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "An OS\ncommand injection vulnerability exists in the VPN module of TP-Link Archer AX12\nv1, AX17 v1. AX18 v1, and AX1300 v1.6 routers. This vulnerability allows an\nadjacent, authenticated attacker to execute arbitrary commands on the device by\nimporting a specially crafted VPN client configuration file. The issue stems\nfrom improper filtering of special characters.\u00a0\n\n\n\n\n\nSuccessful\nexploitation of this vulnerability may enable an attacker to gain full control\nof the affected device, potentially compromising configuration integrity,\nnetwork security, and service availability."}], "lastModified": "2026-06-17T11:04:54.217", "sourceIdentifier": "f23511db-6c3e-4e32-a477-6aa17d310630"}