CVE-2026-0620 identifies a protection mechanism failure (CWE-693) in the TP-Link Archer AXE75 V1 router's L2TP/IPSec VPN server implementation. Specifically, when configured to require IPSec protection, the device erroneously accepts L2TP connections without IPSec encryption. This means that VPN sessions can be established without the intended cryptographic safeguards, exposing transmitted data to interception or manipulation. The vulnerability arises from improper enforcement of IPSec requirements during the VPN handshake and session establishment phases. Attackers can exploit this by initiating an L2TP connection that bypasses IPSec, potentially capturing sensitive data such as credentials, internal communications, or other confidential information transmitted over the VPN. The CVSS 4.0 score of 6 (medium severity) reflects that the vulnerability is network exploitable without privileges but requires user interaction (i.e., a user must initiate the VPN connection). The impact is primarily on confidentiality, with no direct effect on integrity or availability. No known exploits have been reported in the wild, and no patches are currently available, indicating the need for proactive mitigation. This vulnerability is significant because VPNs are widely used to secure remote access, and a failure in encryption enforcement undermines the fundamental security guarantees of VPN technology.

For European organizations, this vulnerability poses a risk of data exposure during remote access sessions, especially for entities relying on the TP-Link Archer AXE75 router for VPN services. Confidential information transmitted over the VPN could be intercepted by attackers positioned on the network path, such as malicious insiders, compromised routers, or attackers on public networks. This exposure could lead to data breaches, loss of intellectual property, or compromise of sensitive communications. Sectors with stringent data protection requirements, such as finance, healthcare, and government, are particularly vulnerable. The lack of encryption may also violate GDPR mandates on data security during transmission. Additionally, organizations using this device in critical infrastructure or industrial control systems could face operational risks if sensitive control commands or monitoring data are intercepted. Although the vulnerability does not affect integrity or availability directly, the confidentiality breach alone can have severe legal, financial, and reputational consequences.

Until an official patch is released by TP-Link, European organizations should implement the following mitigations: 1) Disable the L2TP VPN server functionality on the Archer AXE75 router if not strictly necessary. 2) If VPN services are required, configure the device to reject L2TP connections that do not use IPSec explicitly, if such configuration options exist. 3) Use alternative VPN solutions or hardware that enforce strong encryption and have no known vulnerabilities. 4) Monitor VPN logs for unusual connection attempts that may indicate exploitation attempts. 5) Educate users about the risks of connecting to VPNs that may not enforce encryption properly. 6) Network segmentation and use of additional encryption layers (e.g., TLS tunnels) can reduce exposure. 7) Regularly check for firmware updates from TP-Link and apply patches promptly once available. 8) Employ network intrusion detection systems to identify suspicious VPN traffic patterns. These steps go beyond generic advice by focusing on configuration hardening, user awareness, and layered security controls specific to this vulnerability.