CVE-2026-0620 is a vulnerability identified in the TP-Link Archer AXE75 V1 router when configured as an L2TP/IPSec VPN server. The core issue is that the device may accept VPN connections using L2TP without the IPSec layer, even when IPSec is enabled and expected to protect the session. This results from a protection mechanism failure classified under CWE-693, indicating improper enforcement of security controls. The vulnerability allows an attacker to establish VPN sessions that are not encrypted, exposing sensitive data transmitted over the VPN to interception or eavesdropping. The CVSS 4.0 base score is 6.0 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, but requiring user interaction to initiate the connection. The vulnerability impacts confidentiality severely, as data in transit can be exposed, but does not affect integrity or availability. No known exploits have been reported in the wild, and no patches have been published yet. The flaw is significant for organizations relying on the AXE75 for secure remote access, as it undermines the fundamental security guarantees of VPN encryption. The vulnerability highlights the importance of strict enforcement of IPSec protection in VPN implementations to prevent downgrade or bypass attacks.

For European organizations, this vulnerability poses a significant risk to the confidentiality of data transmitted over VPN connections using the affected TP-Link AXE75 routers. Sensitive corporate communications, credentials, and proprietary information could be intercepted by attackers on the same network path if VPN sessions fall back to unencrypted L2TP. This is particularly critical for sectors handling sensitive personal data (e.g., GDPR-regulated industries), financial services, and government entities that rely on VPNs for secure remote access. The lack of encryption could lead to data breaches, regulatory non-compliance, reputational damage, and potential financial losses. Since the vulnerability requires user interaction to establish the VPN session, social engineering or phishing could be used to trick users into connecting via unprotected VPN. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits once the vulnerability becomes public knowledge.

European organizations should immediately audit their VPN configurations on TP-Link Archer AXE75 devices to verify if L2TP/IPSec VPN server mode is enabled. Until a vendor patch is released, administrators should disable L2TP-only connections or avoid using the AXE75 as an L2TP/IPSec VPN server. Where possible, replace the affected device with alternative VPN solutions that enforce IPSec protection strictly. Network monitoring should be enhanced to detect unencrypted VPN traffic or anomalous L2TP connections. User training should emphasize the risks of connecting to VPNs without proper encryption and caution against accepting unexpected VPN connection prompts. Organizations should subscribe to TP-Link security advisories for patch releases and apply updates promptly. Implementing network segmentation and limiting VPN server exposure to trusted networks can reduce attack surface. Finally, consider deploying additional encryption layers such as TLS-based VPNs or zero-trust network access solutions as longer-term mitigations.