CVE-2026-0655
HIGHCVSS Vector
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in TP-Link Deco BE25 v1.0 (web modules) allows authenticated adjacent attacker to read arbitrary files or cause denial of service. This issue affects Deco BE25 v1.0: through 1.1.1 Build 20250822.
Analysis
TP-Link Deco BE25 firmware versions 1.0 through 1.1.1 (Build 20250822) contain a path traversal vulnerability that allows authenticated adjacent network attackers to read arbitrary files or trigger denial of service without user interaction. The vulnerability affects the web module component and requires local network access with valid credentials to exploit. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all TP-Link Deco BE25 devices in production and verify installed firmware versions (1.0 through 1.1.1 Build 20250822 are affected). Within 7 days: Isolate affected devices to a restricted management network segment and disable remote administration features; restrict access to the web interface to trusted administrative IPs only. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today