TP-Link Deco BE25: Malicious Input Can Execute System Commands

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

8.5

TP-Link Deco BE25: Malicious Input Can Execute System Commands

CVE-2026-0654

Summary

An attacker with admin access to your TP-Link Deco BE25 can enter malicious commands that could potentially delete or change settings, or even take control of the device. This is a risk because it allows unauthorized changes to be made to your home network. To mitigate this issue, update your Deco BE25 to the latest firmware version as soon as possible.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
tp-link	deco_be25_firmware	<= 1.1.1	–

Original title

Improper input handling in the administration web interface on TP-Link Deco BE25 v1.0 allows crafted input to be executed as part of an OS command. An authenticated adjacent attacker may execute a...

Original description

Improper input handling in the administration web interface on TP-Link Deco BE25 v1.0 allows crafted input to be executed as part of an OS command. An authenticated adjacent attacker may execute arbitrary commands via crafted configuration file, impacting confidentiality, integrity and availability of the device.
This issue affects Deco BE25 v1.0: through 1.1.1 Build 20250822.

nvd CVSS3.1 8.0

nvd CVSS4.0 8.5

Vulnerability type

CWE-78 OS Command Injection

https://www.tp-link.com/en/support/download/deco-be25/#Firmware Product
https://www.tp-link.com/sg/support/download/deco-be25/#Firmware Product
https://www.tp-link.com/us/support/download/deco-be25/v1/#Firmware Product
https://www.tp-link.com/us/support/faq/4993/ Vendor Advisory

Published: 2 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026