CVE-2026-0654 is an OS command injection vulnerability classified under CWE-78, affecting TP-Link Systems Inc.'s Deco BE25 v1.0 Wi-Fi mesh devices running firmware versions through 1.1.1 Build 20250822. The root cause is improper neutralization of special elements in user-supplied input within the device's administration web interface. Specifically, the vulnerability arises when an authenticated attacker with adjacent network access submits a crafted configuration file that is improperly sanitized and subsequently executed as part of an operating system command. This flaw enables the attacker to execute arbitrary OS commands with the privileges of the administration interface, potentially compromising the device's confidentiality, integrity, and availability. The vulnerability requires authentication and adjacency, meaning the attacker must be on the same or a connected local network segment but does not require user interaction beyond authentication. The CVSS v4.0 score is 8.5 (high severity), reflecting low attack complexity, no user interaction, and high impact on confidentiality, integrity, and availability. Although no known exploits are publicly reported, the vulnerability presents a significant risk given the widespread use of TP-Link Deco BE25 devices in home and small office environments. The lack of available patches at the time of disclosure necessitates immediate mitigation strategies to prevent exploitation.

The impact of CVE-2026-0654 is substantial for organizations and individuals using TP-Link Deco BE25 devices. Successful exploitation allows an attacker to execute arbitrary OS commands on the device, which can lead to full compromise of the device's operating system. This can result in unauthorized access to network traffic, manipulation or destruction of device configurations, disruption of network services, and potential pivoting to other devices on the network. Confidentiality is at risk as sensitive data passing through or stored on the device may be exposed. Integrity is compromised due to the ability to alter device settings or firmware. Availability can be affected if the attacker disrupts or disables network connectivity. For enterprises or critical infrastructure relying on these devices for network connectivity, this vulnerability could lead to significant operational disruptions and data breaches. The requirement for authentication and adjacency limits remote exploitation but does not eliminate risk, especially in environments with weak network segmentation or compromised internal users.

To mitigate CVE-2026-0654, organizations should first verify if their TP-Link Deco BE25 devices are running affected firmware versions up to 1.1.1 Build 20250822. Since no patches are currently available, immediate steps include restricting access to the device's administration interface to trusted management networks only, employing strong authentication credentials, and enabling network segmentation to isolate the device from untrusted or guest networks. Monitoring network traffic for unusual configuration file uploads or command execution attempts can help detect exploitation attempts. Administrators should disable remote administration features if not required and consider using VPNs or secure tunnels for management access. Once TP-Link releases a firmware update addressing this vulnerability, prompt application of the patch is critical. Additionally, organizations should review and harden device configurations, disable unnecessary services, and maintain an inventory of IoT devices to ensure timely response to future vulnerabilities.