CVE-2026-0654

Improper input handling in the administration web interface on TP-Link Deco BE25 v1.0 allows crafted input to be executed as part of an OS command. An authenticated adjacent attacker may execute arbitrary commands via crafted configuration file, impacting confidentiality, integrity and availability of the device. This issue affects Deco BE25 v1.0: through 1.1.1 Build 20250822.

CVSS v3 8.0 HIGH

8.0^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.1 / Impact : 5.9

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.tp-link.com/en/support/download/deco-be25/#Firmware	Product
https://www.tp-link.com/sg/support/download/deco-be25/#Firmware	Product
https://www.tp-link.com/us/support/download/deco-be25/v1/#Firmware	Product
https://www.tp-link.com/us/support/faq/4993/	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:tp-link:deco_be25_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:tp-link:deco_be25:1.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-02 18:16

Updated : 2026-03-06 19:47

NVD link : CVE-2026-0654

Mitre link : CVE-2026-0654

CVE.ORG link : CVE-2026-0654

JSON object : View

Products Affected

tp-link

deco_be25
deco_be25_firmware

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2026-0654", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.0, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.1}], "cvssMetricV40": [{"type": "Secondary", "source": "f23511db-6c3e-4e32-a477-6aa17d310630", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.5, "Automatable": "NOT_DEFINED", "attackVector": "ADJACENT", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-02T18:16:25.983", "references": [{"url": "https://www.tp-link.com/en/support/download/deco-be25/#Firmware", "tags": ["Product"], "source": "f23511db-6c3e-4e32-a477-6aa17d310630"}, {"url": "https://www.tp-link.com/sg/support/download/deco-be25/#Firmware", "tags": ["Product"], "source": "f23511db-6c3e-4e32-a477-6aa17d310630"}, {"url": "https://www.tp-link.com/us/support/download/deco-be25/v1/#Firmware", "tags": ["Product"], "source": "f23511db-6c3e-4e32-a477-6aa17d310630"}, {"url": "https://www.tp-link.com/us/support/faq/4993/", "tags": ["Vendor Advisory"], "source": "f23511db-6c3e-4e32-a477-6aa17d310630"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "f23511db-6c3e-4e32-a477-6aa17d310630", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "Improper input handling in the administration web interface on TP-Link Deco BE25 v1.0 allows crafted input to be executed as part of an OS command. An authenticated adjacent attacker may execute arbitrary commands via crafted configuration file, impacting confidentiality, integrity and availability of the device.\nThis issue affects Deco BE25 v1.0: through 1.1.1 Build 20250822."}, {"lang": "es", "value": "El manejo inadecuado de entradas en la interfaz web de administraci\u00f3n de TP-Link Deco BE25 v1.0 permite que una entrada manipulada sea ejecutada como parte de un comando del sistema operativo. Un atacante adyacente autenticado puede ejecutar comandos arbitrarios a trav\u00e9s de un archivo de configuraci\u00f3n manipulado, impactando la confidencialidad, integridad y disponibilidad del dispositivo. Este problema afecta a Deco BE25 v1.0: hasta la 1.1.1 Build 20250822."}], "lastModified": "2026-03-06T19:47:21.207", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:tp-link:deco_be25_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BC0E4EDF-87AD-4298-80F6-4264F837BB28", "versionEndIncluding": "1.1.1"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:tp-link:deco_be25:1.0:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "D82E7278-1A07-4F82-A96B-F556D844AB28"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "f23511db-6c3e-4e32-a477-6aa17d310630"}