Cyber Posture

CVE-2026-0655

High

Published: 02 March 2026

Published
02 March 2026
Modified
06 March 2026
KEV Added
Patch
CVSS Score 8.0 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0005 16.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-0655 is a high-severity Path Traversal (CWE-22) vulnerability in Tp-Link Deco Be25 Firmware. Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 16.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly prevents path traversal attacks by enforcing validation of pathname inputs in the vulnerable web modules.

SI-2 Flaw Remediation good match
prevent

Mitigates the vulnerability by identifying and applying vendor-provided firmware updates to remediate the path traversal flaw.

AC-3 Access Enforcement partial match
prevent

Enforces approved access authorizations to system files and resources, limiting the impact of successful path traversal by authenticated users.

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
T1602.002 Network Device Configuration Dump Collection
Adversaries may access network configuration files to collect sensitive data about the device and the network.
attack.mitre.org →
Why these techniques?

Path traversal directly enables arbitrary file read on network device, mapping to local data access and config repository dump.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in TP-Link Deco BE25 v1.0 (web modules) allows authenticated adjacent attacker to read arbitrary files or cause denial of service. This issue affects Deco BE25 v1.0: through 1.1.1…

more

Build 20250822.

Deeper analysisAI

CVE-2026-0655 is an Improper Limitation of a Pathname to a Restricted Directory vulnerability, classified under CWE-22, affecting the web modules of TP-Link Deco BE25 v1.0. This path traversal issue impacts versions through 1.1.1 Build 20250822 and carries a CVSS v3.1 base score of 8.0 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for confidentiality, integrity, and availability impacts.

An authenticated adjacent attacker with low privileges can exploit this vulnerability over the adjacent network with low complexity and no user interaction required. Successful exploitation allows the attacker to read arbitrary files on the device or cause a denial of service, potentially compromising sensitive configuration data or disrupting network operations.

TP-Link provides firmware updates for the Deco BE25 v1.0 on regional support download pages, including those for global, Singapore, and US variants, as the primary mitigation. Additional guidance is available in their US support FAQ 4993.

Details

CWE(s)
CWE-22

Affected Products

tp-link
deco be25 firmware
≤ 1.1.1

CVEs Like This One

CVE-2026-0654Same product: Tp-Link Deco Be25
CVE-2026-0651Same vendor: Tp-Link
CVE-2025-15605Same vendor: Tp-Link
CVE-2025-15518Same vendor: Tp-Link
CVE-2025-14756Same vendor: Tp-Link
CVE-2026-22221Same vendor: Tp-Link
CVE-2026-3622Same vendor: Tp-Link
CVE-2026-22224Same vendor: Tp-Link
CVE-2025-61983Same vendor: Tp-Link
CVE-2025-54794Shared CWE-22

References