Security Advisory on Command Injection and Path Traversal Vulnerabilities on TP-Link Deco BE25 (CVE-2026-0654, CVE-2026-0655 and CVE-2026-22229)

Description of Vulnerabilities and Impacts:

CVE-2026-0654: Command Injection Vulnerability

Improper input handling in the administration web interface allows crafted input to be executed as part of an OS command. An authenticated adjacent attacker may execute arbitrary commands via crafted configuration file, impacting confidentiality, integrity and availability of the device.

CVSS v4.0 Score: 8.5/ High

CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

CVE-2026-0655: Path Traversal Vulnerability

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in web modules allows authenticated adjacent attacker to read arbitrary files or cause denial of service.

CVSS v4.0 Score: 6.9 / Medium

CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:L

CVE-2026-22229 (Previously Published Vulnerability)

Previously disclosed in Security Advisory on Authenticated Command Injection Vulnerabilities on Archer BE230 (CVE-2026-0630, CVE-2026-0631, CVE-2026-22221-22227, CVE-2026-22229) | TP-Link, also affects this product. The vulnerability details remain unchanged; please refer to the original advisory.

Affected Products/Versions and Fixes:

Recommendations:

We strongly recommend that users with affected devices take the following actions:

1. Download and update to the latest firmware version to fix the vulnerabilities.

US: Download for Deco BE25 | TP-Link

EN: Download for Deco BE25 | TP-Link

SG: Download for Deco BE25 | TP-Link Singapore

Acknowledgements

We thank caprinuxx, jro and sunshinefactory for responsibly reporting these issues to us.

Disclaimer:

If you do not take all recommended actions, this vulnerability will remain. TP-Link cannot bear any responsibility for consequences that could have been avoided by following this advisory.