Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-0620

CVE-2026-0620: Archer AXE75 Information Disclosure Flaw

CVE-2026-0620 is an information disclosure vulnerability in Archer AXE75 V1 that allows unencrypted L2TP VPN connections despite IPSec being enabled. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2026-0620 Overview

CVE-2026-0620 is a security bypass vulnerability affecting the TP-Link Archer AXE75 V1 router when configured as an L2TP/IPSec VPN server. The device may accept VPN connections using L2TP without IPSec encryption protection, even when IPSec is explicitly enabled in the configuration. This configuration flaw allows VPN sessions to be established without encryption, exposing data in transit and compromising the confidentiality of communications.

Critical Impact

VPN connections may be established without encryption, allowing attackers to intercept sensitive data transmitted through the VPN tunnel.

Affected Products

  • TP-Link Archer AXE75 V1 (when configured as L2TP/IPSec VPN server)

Discovery Timeline

  • 2026-02-03 - CVE-2026-0620 published to NVD
  • 2026-02-04 - Last updated in NVD database

Technical Details for CVE-2026-0620

Vulnerability Analysis

This vulnerability represents a protection mechanism failure (CWE-693) in the TP-Link Archer AXE75 V1 router's VPN implementation. When administrators configure the device to function as an L2TP/IPSec VPN server with IPSec enabled, the router fails to properly enforce IPSec as a mandatory requirement for VPN connections. As a result, the device accepts L2TP connections that bypass the IPSec encryption layer entirely.

The flaw manifests when processing incoming VPN connection requests. Rather than rejecting connections that do not negotiate IPSec properly, the router permits the L2TP tunnel to be established without the expected encryption wrapper. This creates a false sense of security for administrators who believe their VPN traffic is protected by IPSec encryption.

Root Cause

The root cause is a protection mechanism failure in the VPN server implementation. The router does not properly validate that IPSec encryption is negotiated and active before allowing L2TP tunnel establishment. This represents a failure to enforce the security policy configured by the administrator, allowing the IPSec layer to be bypassed while still establishing a functional VPN connection.

Attack Vector

This vulnerability is exploitable over the network. An attacker positioned between the VPN client and the router (man-in-the-middle position) could intercept unencrypted VPN traffic when clients connect without IPSec protection. Additionally, a malicious actor with network access could deliberately configure a VPN client to connect using L2TP only, bypassing the intended IPSec encryption to capture or manipulate traffic that administrators expect to be encrypted.

The attack requires some user interaction or passive interception conditions to exploit, as the attacker must either be positioned to intercept traffic or convince users to connect through a compromised path.

Detection Methods for CVE-2026-0620

Indicators of Compromise

  • VPN connections established without corresponding IPSec Security Associations (SAs) in the router logs
  • Network traffic analysis revealing unencrypted L2TP packets (UDP port 1701) without encapsulation in IPSec (ESP protocol 50)
  • Successful VPN authentications logged without IPSec tunnel establishment events

Detection Strategies

  • Monitor for L2TP traffic on UDP port 1701 that is not encapsulated within IPSec ESP packets
  • Review router logs for VPN connections that lack corresponding IPSec Phase 1 and Phase 2 negotiation events
  • Implement network-level packet inspection to detect unencrypted PPP frames within L2TP tunnels

Monitoring Recommendations

  • Enable verbose VPN logging on the Archer AXE75 to capture IPSec negotiation details
  • Deploy network monitoring tools to analyze VPN traffic patterns and encryption status
  • Periodically audit active VPN sessions to verify IPSec encryption is being applied

How to Mitigate CVE-2026-0620

Immediate Actions Required

  • Update the TP-Link Archer AXE75 V1 firmware to the latest version available from TP-Link
  • Consider disabling the L2TP/IPSec VPN server functionality until patched firmware is applied
  • Implement firewall rules to block unencrypted L2TP traffic (UDP port 1701) that is not wrapped in IPSec
  • Monitor VPN connections for any sessions established without proper IPSec encryption

Patch Information

TP-Link has released updated firmware to address this vulnerability. Users should download and install the latest firmware from the TP-Link Archer AXE75 Firmware Download page. Additional information about this vulnerability and remediation steps can be found in the TP-Link FAQ #4942.

Workarounds

  • Disable the L2TP/IPSec VPN server feature until patched firmware is installed
  • Use alternative VPN protocols such as OpenVPN or WireGuard if supported by the device
  • Implement network segmentation to isolate the affected router from sensitive network resources
  • Configure client-side VPN applications to require IPSec encryption and fail if IPSec negotiation is unsuccessful

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne