CVE-2026-0654 is an OS command injection vulnerability identified in the TP-Link Deco BE25 v1.0 wireless mesh router system. The root cause is improper neutralization of special elements in user-supplied input within the device's administration web interface. Specifically, crafted input embedded in configuration files can be executed as part of underlying operating system commands. This vulnerability is classified under CWE-78, indicating that the system fails to properly sanitize or validate input before incorporating it into OS commands. An attacker with authenticated access on an adjacent network can exploit this flaw to execute arbitrary commands with high privileges on the device, potentially leading to full compromise. The vulnerability affects firmware versions through 1.1.1 Build 20250822. The CVSS v4.0 base score is 8.5, reflecting high severity due to the combination of adjacent network attack vector, low attack complexity, no user interaction, and high impact on confidentiality, integrity, and availability. Although no public exploits are known, the vulnerability poses a significant risk given the device's role in home and small office networks. The lack of a patch link indicates that a fix may not yet be publicly available, underscoring the need for immediate mitigation.

Successful exploitation of CVE-2026-0654 allows an attacker to execute arbitrary OS commands on the affected TP-Link Deco BE25 device with high privileges. This can lead to full device compromise, enabling attackers to manipulate device configurations, intercept or redirect network traffic, install persistent malware, or disrupt network availability. The breach of confidentiality could expose sensitive network information or user data. Integrity could be compromised through unauthorized configuration changes or firmware tampering. Availability could be impacted by denial-of-service conditions caused by malicious commands. Given the device's role as a network gateway in homes and small offices, exploitation could serve as a foothold for lateral movement into internal networks or as a platform for launching further attacks. The requirement for authenticated adjacent access limits the attack surface but does not eliminate risk, especially in environments with weak authentication or compromised internal users.

1. Immediately restrict access to the Deco BE25 administration interface to trusted management networks only, using network segmentation and firewall rules to block adjacent network access from untrusted sources. 2. Enforce strong authentication mechanisms and complex passwords for device administration to reduce the risk of credential compromise. 3. Monitor network traffic and device logs for unusual configuration changes or command execution patterns indicative of exploitation attempts. 4. Disable remote administration features if not required, or restrict them to secure VPN connections. 5. Regularly check TP-Link’s official channels for firmware updates addressing this vulnerability and apply patches promptly once available. 6. Consider deploying network intrusion detection/prevention systems (IDS/IPS) capable of detecting command injection attempts or anomalous administrative activity. 7. Educate users and administrators about the risks of adjacent network attacks and the importance of limiting administrative interface exposure. 8. If possible, implement multi-factor authentication (MFA) for device management to further reduce risk.