Listen to this Post
CVE-2026-0655 is a Path Traversal vulnerability residing in the web modules of the TP-Link Deco BE25 v1.0 mesh system. The vulnerability stems from the application’s failure to properly sanitize user-supplied file paths, specifically the “Improper Limitation of a Pathname to a Restricted Directory.” An attacker who has successfully authenticated to the device’s administrative interface and is on the same local network (adjacent attacker) can exploit this flaw. By crafting a malicious HTTP request containing path traversal sequences like ../, the attacker can break out of the intended web root directory. This allows them to navigate the device’s filesystem arbitrarily. The primary impact is the unauthorized reading of sensitive system files, configuration files, or other data stored on the device. Furthermore, by accessing special device files or causing the system to read from unexpected locations, the attacker can induce a denial of service (DoS) condition, potentially crashing the web server or destabilizing the router. The vulnerability affects all firmware versions up to and including 1.1.1 Build 20250822. TP-Link assigned a CVSS-B score of 6.9 (Medium), highlighting the high confidentiality and availability impacts despite the requirement for authentication and adjacent network access.
Platform: TP-Link Deco
Version: BE25 v1.0
Vulnerability : Path Traversal
Severity: Medium
date: March 2, 2026
Prediction: Early April 2026
What Undercode Say:
This vulnerability allows an authenticated user on the network to escape the web server’s root directory.
Analytics:
The core issue is a lack of input validation on filename parameters.
Attackers can use `../` sequences to traverse directories.
This can lead to reading arbitrary files like `/etc/passwd` or firmware secrets.
The vulnerability can also be used to cause a denial of service.
How Exploit:
The following `curl` command demonstrates a proof-of-concept to read a system file. You would need to replace `
` and the endpoint with the actual vulnerable parameter. [bash] Attempt to read the /etc/passwd file by traversing out of the web root curl -u admin:[bash] "http://[bash]/vulnerable_module?file=../../../../etc/passwd"
A more advanced attempt might target the firmware image:
Attempt to read the firmware partition curl -u admin:[bash] "http://[bash]/vulnerable_module?file=../../../../dev/mtdblock0"
Protection from this CVE:
Apply the official firmware update from TP-Link as soon as it is released.
Ensure the router’s administrative interface is not exposed to the public internet.
If possible, restrict administrative access to specific trusted MAC addresses or IPs.
As a temporary measure, disable remote management features until a patch is applied.
Impact:
Confidentiality Breach: An attacker can read sensitive configuration files containing Wi-Fi passwords or ISP credentials.
Denial of Service: By accessing special files or triggering unexpected behavior, the attacker can crash the router, causing an internet outage.
Lateral Movement: Information gleaned from the router (e.g., network topology, connected devices) can be used to launch further attacks inside the home network.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow DailyCVE & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin
OpenLIT, CI/CD Remote Code Execution, CVE-2026-27941 (CRITICAL)
