Cyber Resilience

CVE-2026-0655

Medium

Published: 02 March 2026

Published
02 March 2026
Modified
06 March 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0005 16.9th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-0655 is a medium-severity Path Traversal (CWE-22) vulnerability in Tp-Link Deco Be25 Firmware. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 16.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-0655 is an Improper Limitation of a Pathname to a Restricted Directory vulnerability, classified under CWE-22, affecting the web modules of TP-Link Deco BE25 v1.0. This path traversal issue impacts versions through 1.1.1 Build 20250822 and carries a CVSS v3.1 base score of 8.0 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for confidentiality, integrity, and availability impacts.

An authenticated adjacent attacker with low privileges can exploit this vulnerability over the adjacent network with low complexity and no user interaction required. Successful exploitation allows the attacker to read arbitrary files on the device or cause a denial of service, potentially compromising sensitive configuration data or disrupting network operations.

TP-Link provides firmware updates for the Deco BE25 v1.0 on regional support download pages, including those for global, Singapore, and US variants, as the primary mitigation. Additional guidance is available in their US support FAQ 4993.

EU & UK References

Vulnerability details

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in TP-Link Deco BE25 v1.0 (web modules) allows authenticated adjacent attacker to read arbitrary files or cause denial of service. This issue affects Deco BE25 v1.0: through 1.1.1…

more

Build 20250822.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1602.002 Network Device Configuration Dump Collection
Adversaries may access network configuration files to collect sensitive data about the device and the network.
Why these techniques?

Path traversal directly enables arbitrary file read on network device, mapping to local data access and config repository dump.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-0654Same product: Tp-Link Deco Be25
CVE-2026-0651Same vendor: Tp-Link
CVE-2025-15605Same vendor: Tp-Link
CVE-2026-44307Shared CWE-22
CVE-2026-5509Same vendor: Tp-Link
CVE-2026-22221Same vendor: Tp-Link
CVE-2026-30814Same vendor: Tp-Link
CVE-2026-0918Same vendor: Tp-Link
CVE-2026-22227Same vendor: Tp-Link
CVE-2025-68921Shared CWE-22

Affected Assets

tp-link
deco be25 firmware
≤ 1.1.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents path traversal attacks by enforcing validation of pathname inputs in the vulnerable web modules.

prevent

Mitigates the vulnerability by identifying and applying vendor-provided firmware updates to remediate the path traversal flaw.

prevent

Enforces approved access authorizations to system files and resources, limiting the impact of successful path traversal by authenticated users.

References