CVE-2026-0654

HIGH

TP-Link Deco BE25 v1.0-1.1.1 - Command Injection

Title source: llm

Description

Improper input handling in the administration web interface on TP-Link Deco BE25 v1.0 allows crafted input to be executed as part of an OS command. An authenticated adjacent attacker may execute arbitrary commands via crafted configuration file, impacting confidentiality, integrity and availability of the device. This issue affects Deco BE25 v1.0: through 1.1.1 Build 20250822.

References (4)

[Various Sources] https://www.tp-link.com/en/support/download/deco-be25/#Firmware

[Various Sources] https://www.tp-link.com/sg/support/download/deco-be25/#Firmware

[Various Sources] https://www.tp-link.com/us/support/download/deco-be25/v1/#Firmware

[Various Sources] https://www.tp-link.com/us/support/faq/4993/

Scores

CVSS v3 8.0

EPSS 0.0007

EPSS Percentile 21.2%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-78

Status published

Affected Products (1)

tp-link/deco_be25_firmware < 1.1.1

Timeline

Published Mar 02, 2026

Tracked Since Mar 03, 2026