Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in TP-Link Deco BE25 v1.0 (web modules) allows authenticated adjacent attacker to read arbitrary files or cause denial of service.  This issue affects Deco BE25 v1.0: through 1.1.1 Build 20250822.
Published: 2026-03-02
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized File Access
Action: Patch Now
AI Analysis

Impact

The vulnerability is a path traversal flaw in TP‑Link Deco BE25 web modules. It permits an authenticated attacker who can reach the router from the local network to read files outside the intended directory or trigger a denial of service. The flaw arises from insufficient path validation, allowing the attacker to exfiltrate sensitive configuration files or crash the device, thereby affecting confidentiality, integrity, and availability.

Affected Systems

TP‑Link Systems Inc. Deco BE25 routers running firmware versions 1.0 through 1.1.1 Build 20250822 are impacted. Devices within this firmware range that are exposed to the local network are vulnerable. No fixed release has been announced yet, so later builds are not known to be unaffected.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. The EPSS score is less than 1 %, suggesting a low probability of exploitation in the wild. However, the vulnerability requires local network authentication, so it is most likely exploited by device administrators or malicious users that gain local network access. The flaw is not listed in the CISA KEV catalog. Because the attacker can read arbitrary files, the confidentiality impact is significant, and the device may also suffer instability from denial of service attempts.

Generated by OpenCVE AI on April 16, 2026 at 14:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Deco BE25 firmware to the latest version that addresses the path traversal vulnerability. If no fix is currently available, monitor TP‑Link for a release.
  • Restrict access to the router’s web management interface by limiting the local network or enabling firewall rules that block potential adjacent attackers; disable remote management features.
  • Disable or remove unnecessary web modules in the firmware to reduce the attack surface.

Generated by OpenCVE AI on April 16, 2026 at 14:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Tp-link deco Be25 Firmware
CPEs cpe:2.3:h:tp-link:deco_be25:1.0:*:*:*:*:*:*:*
cpe:2.3:o:tp-link:deco_be25_firmware:*:*:*:*:*:*:*:*
Vendors & Products Tp-link deco Be25 Firmware
Metrics cvssV3_1

{'score': 8.0, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 04 Mar 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Tp-link
Tp-link deco Be25
Vendors & Products Tp-link
Tp-link deco Be25

Mon, 02 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in TP-Link Deco BE25 v1.0 (web modules) allows authenticated adjacent attacker to read arbitrary files or cause denial of service.  This issue affects Deco BE25 v1.0: through 1.1.1 Build 20250822.
Title Path Traversal on TP-Link Deco BE25
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:L'}

Subscriptions

Tp-link Deco Be25 Deco Be25 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: TPLink

Published:

Updated: 2026-03-02T19:21:36.575Z

Reserved: 2026-01-06T18:29:34.354Z

Link: CVE-2026-0655

cve-icon Vulnrichment

Updated: 2026-03-02T19:21:16.007Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-02T18:16:26.170

Modified: 2026-03-06T19:46:46.767

Link: CVE-2026-0655

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T14:30:16Z

Weaknesses