Improper Input Handling in TP-Link Deco BE25 Administration Interface
CVE-2026-0654

8.5HIGH

Key Information:

Vendor

Tp-link Systems Inc.

Status
Deco Be25 V1.0
Vendor
CVE Published:
2 March 2026

What is CVE-2026-0654?

An issue has been identified in the TP-Link Deco BE25 v1.0 administration web interface where improper input handling can lead to OS command execution through crafted requests. This vulnerability allows an authenticated adjacent attacker to execute arbitrary commands via specially crafted configuration files, thereby threatening the confidentiality, integrity, and availability of the device. It is crucial for users to apply patches provided by TP-Link to mitigate this risk.

Affected Version(s)

Deco BE25 v1.0 0 <= 1.1.1 Build 20250822

References

https://www.tp-link.com/sg/support/download/deco-be25/#Fi...
patch
https://www.tp-link.com/en/support/download/deco-be25/#Fi...
patch
https://www.tp-link.com/us/support/download/deco-be25/v1/...
patch

CVSS V4

Score:
8.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

caprinuxx
.