CVE-2026-0620 MEDIUM

CVE-2026-0620: L2TP over IPSec Encryption Failure on ArcherAXE75

Vendor Tp-Link Systems Inc.
Product AXE75
Weakness CWE-693
Published February 3, 2026
Last update February 4, 2026

CVSS base score

6.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

When configured as L2TP/IPSec VPN server, Archer AXE75 V1 may accept connections using L2TP without IPSec protection, even when IPSec is enabled.  This allows VPN sessions without encryption, exposing data in transit and compromising confidentiality.

Key dates

02Disclosure timeline

February 3, 2026 CVE published
February 4, 2026 Record updated