Description
Improper input handling in the administration web interface on TP-Link Deco BE25 v1.0 allows crafted input to be executed as part of an OS command. An authenticated adjacent attacker may execute arbitrary commands via crafted configuration file, impacting confidentiality, integrity and availability of the device.
This issue affects Deco BE25 v1.0: through 1.1.1 Build 20250822.
Published: 2026-03-02
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Command injection leading to arbitrary OS command execution
Action: Immediate Patch
AI Analysis

Impact

Improper validation of input supplied to the Deco BE25 v1.0 administration web interface allows crafted data to be forwarded to the operating system shell. The result is that an attacker who can authenticate to an adjacent device can inject and execute arbitrary commands, giving the attacker full control over the device. This compromises confidentiality, integrity, and availability of the router and any network traffic it handles.

Affected Systems

The vulnerability affects TP‑Link Systems Inc. Deco BE25 model v1.0 through 1.1.1 Build 20250822. Devices running any firmware within this range are susceptible.

Risk and Exploitability

The CVSS score of 8.5 indicates high severity, while the EPSS score of less than 1% suggests a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog, and no public exploits have been reported. The likely attack vector is a local, authenticated attacker on the same network who can upload a crafted configuration file to the device.

Generated by OpenCVE AI on April 16, 2026 at 05:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Flash the device with the latest firmware release (v1.1.1 Build 20250822) as soon as possible.
  • Delete any existing configuration files that may contain malicious content and reconfigure the device securely.
  • Restrict access to the administration interface by disabling remote management or restricting it to trusted IP ranges.

Generated by OpenCVE AI on April 16, 2026 at 05:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Tp-link deco Be25 Firmware
CPEs cpe:2.3:h:tp-link:deco_be25:1.0:*:*:*:*:*:*:*
cpe:2.3:o:tp-link:deco_be25_firmware:*:*:*:*:*:*:*:*
Vendors & Products Tp-link deco Be25 Firmware
Metrics cvssV3_1

{'score': 8.0, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 04 Mar 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Tp-link
Tp-link deco Be25
Vendors & Products Tp-link
Tp-link deco Be25

Mon, 02 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description Improper input handling in the administration web interface on TP-Link Deco BE25 v1.0 allows crafted input to be executed as part of an OS command. An authenticated adjacent attacker may execute arbitrary commands via crafted configuration file, impacting confidentiality, integrity and availability of the device. This issue affects Deco BE25 v1.0: through 1.1.1 Build 20250822.
Title Command injection on TP-Link Deco BE25
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L'}

Subscriptions

Tp-link Deco Be25 Deco Be25 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: TPLink

Published:

Updated: 2026-03-11T03:56:40.297Z

Reserved: 2026-01-06T18:19:05.133Z

Link: CVE-2026-0654

cve-icon Vulnrichment

Updated: 2026-03-02T18:58:22.752Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-02T18:16:25.983

Modified: 2026-03-06T19:47:21.207

Link: CVE-2026-0654

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T06:00:10Z

Weaknesses