CVE-2026-0655 is a path traversal vulnerability categorized under CWE-22 affecting TP-Link Deco BE25 v1.0 web modules. This vulnerability stems from improper validation and limitation of file pathnames, allowing an authenticated attacker with high privileges on an adjacent network to manipulate file paths to access files outside the intended directory scope. This can lead to unauthorized reading of arbitrary files, potentially exposing sensitive configuration or system files, or cause denial of service by accessing or manipulating critical files. The vulnerability affects Deco BE25 firmware versions up to 1.1.1 Build 20250822. Exploitation requires the attacker to be authenticated with high privileges, but no user interaction is needed. The CVSS 4.0 vector (AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:L) reflects that the attack vector is adjacent network, with low attack complexity, no attack or user interaction required, and high impact on confidentiality and availability. No patches or exploits are currently publicly available, but the issue is published and should be addressed promptly. The vulnerability could be leveraged to compromise device integrity and confidentiality, impacting network security and device availability.

The vulnerability allows an attacker with authenticated high privileges on an adjacent network to read arbitrary files or cause denial of service on the affected TP-Link Deco BE25 devices. This can lead to exposure of sensitive information such as configuration files, credentials, or logs, potentially enabling further attacks or lateral movement within a network. Denial of service could disrupt network connectivity or degrade device functionality, impacting business operations relying on these devices. Given the medium severity and requirement for authentication, the risk is moderate but significant in environments where Deco BE25 devices are widely deployed, especially in enterprise or critical infrastructure networks. The impact on confidentiality and availability can affect organizational security posture, compliance, and operational continuity.

Organizations should implement the following specific mitigations: 1) Restrict administrative access to Deco BE25 devices to trusted and secure networks only, minimizing exposure to adjacent attackers. 2) Enforce strong authentication and access controls to prevent unauthorized high-privilege access. 3) Monitor network traffic for unusual file access patterns or denial of service symptoms on Deco BE25 devices. 4) Apply firmware updates or patches from TP-Link as soon as they become available to address this vulnerability. 5) Consider network segmentation to isolate Deco BE25 devices from untrusted or less secure network segments. 6) Conduct regular security audits and vulnerability scans on network devices to detect similar path traversal or access control issues. 7) Educate network administrators on the risks of path traversal vulnerabilities and the importance of secure configuration.