CVE-2026-0654
Received Received - Intake
OS Command Injection in TP-Link Deco BE25 Admin Interface

Publication date: 2026-03-02

Last updated on: 2026-03-06

Assigner: TPLink

Description
Improper input handling in the administration web interface on TP-Link Deco BE25 v1.0 allows crafted input to be executed as part of an OS command. An authenticated adjacent attacker may execute arbitrary commands via crafted configuration file, impacting confidentiality, integrity and availability of the device. This issue affects Deco BE25 v1.0: through 1.1.1 Build 20250822.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-02
Last Modified
2026-03-06
Generated
2026-06-16
AI Q&A
2026-03-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-0654
EUVD
EUVD-2026-9216
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tp-link deco_be25_firmware to 1.1.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-0654 is a command injection vulnerability in the administration web interface of the TP-Link Deco BE25 device, specifically affecting versions up to v1.1.1 Build 20250822.

The vulnerability occurs due to improper input handling, which allows an authenticated adjacent attacker to submit crafted input that is executed as part of an operating system command.

This means the attacker can execute arbitrary commands on the device, potentially compromising its confidentiality, integrity, and availability.

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability allows an authenticated adjacent attacker to execute arbitrary OS commands on the affected TP-Link Deco BE25 device.'}, {'type': 'paragraph', 'content': "As a result, the attacker can impact the device's confidentiality, integrity, and availability, potentially leading to unauthorized access, data manipulation, or denial of service."}, {'type': 'paragraph', 'content': 'If exploited, this could disrupt your network operations and compromise sensitive information handled by the device.'}] [3]

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate the CVE-2026-0654 vulnerability on TP-Link Deco BE25 devices, immediately update the device firmware to the latest version provided by TP-Link.

  • Download and install the latest firmware version, such as Deco BE25(SG)_V1_1.1.7 Build 20260114 or newer, which includes security improvements addressing this vulnerability.
  • Ensure the firmware upgrade is performed from the official TP-Link website corresponding to your purchase region to avoid upgrade failures or warranty issues.
  • Verify the hardware version of your device before upgrading to prevent installing incorrect firmware.
  • Use a wired connection during the firmware upgrade process to avoid disconnections.
  • Do not power off the device during the upgrade to prevent permanent damage.
  • Stop all internet applications or disconnect the internet line before starting the upgrade.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0654. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart