CVE-2026-0654

High

Published: 02 March 2026

Published

02 March 2026

Modified

06 March 2026

KEV Added

—

Patch

—

CVSS Score 8.0 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0007 20.4th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-0654 is a high-severity OS Command Injection (CWE-78) vulnerability in Tp-Link Deco Be25 Firmware. Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses improper input handling in the administration web interface by requiring validation of all inputs, including crafted configuration files, to prevent command injection.

SI-2 Flaw Remediation good match

prevent

Mandates timely flaw remediation through firmware updates that patch the command injection vulnerability in TP-Link Deco BE25.

SI-9 Information Input Restrictions partial match

prevent

Restricts the types and quantities of inputs to the web interface, limiting the ability to upload crafted configuration files that enable OS command execution.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Command injection (CWE-78) in admin web interface directly enables exploitation of the public/adjacent-facing application (T1190) resulting in Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper input handling in the administration web interface on TP-Link Deco BE25 v1.0 allows crafted input to be executed as part of an OS command. An authenticated adjacent attacker may execute arbitrary commands via crafted configuration file, impacting confidentiality, integrity…

and availability of the device. This issue affects Deco BE25 v1.0: through 1.1.1 Build 20250822.

Deeper analysisAI

CVE-2026-0654 involves improper input handling in the administration web interface of the TP-Link Deco BE25 v1.0, enabling crafted input to be executed as part of an OS command through a crafted configuration file. This command injection vulnerability, classified under CWE-78, affects Deco BE25 v1.0 versions through 1.1.1 Build 20250822.

An authenticated adjacent attacker can exploit this vulnerability to execute arbitrary commands on the device. According to the CVSS v3.1 base score of 8.0 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), exploitation requires physical adjacency, low complexity, and low privileges (local authentication), but grants high impacts on confidentiality, integrity, and availability.

TP-Link provides firmware updates as the primary mitigation, available via support download pages for the Deco BE25, including regional variants at https://www.tp-link.com/en/support/download/deco-be25/#Firmware, https://www.tp-link.com/sg/support/download/deco-be25/#Firmware, https://www.tp-link.com/us/support/download/deco-be25/v1/#Firmware, and additional guidance in FAQ 4993 at https://www.tp-link.com/us/support/faq/4993/.

Details

CWE(s): CWE-78

Affected Products

tp-link

deco be25 firmware

≤ 1.1.1

CVEs Like This One

CVE-2024-57357Same vendor: Tp-Link

CVE-2026-30818Same vendor: Tp-Link

CVE-2025-9377Same vendor: Tp-Link

CVE-2026-0655Same product: Tp-Link Deco Be25

CVE-2026-0630Same vendor: Tp-Link

CVE-2026-22225Same vendor: Tp-Link

CVE-2026-0652Same vendor: Tp-Link

CVE-2026-22227Same vendor: Tp-Link

CVE-2026-22229Same vendor: Tp-Link

CVE-2026-22226Same vendor: Tp-Link

References

https://www.tp-link.com/en/support/download/deco-be25/#Firmware
Product · f23511db-6c3e-4e32-a477-6aa17d310630
https://www.tp-link.com/sg/support/download/deco-be25/#Firmware
Product · f23511db-6c3e-4e32-a477-6aa17d310630
https://www.tp-link.com/us/support/download/deco-be25/v1/#Firmware
Product · f23511db-6c3e-4e32-a477-6aa17d310630
https://www.tp-link.com/us/support/faq/4993/
Vendor Advisory · f23511db-6c3e-4e32-a477-6aa17d310630