0-Click RCE in the SuperNote Nomad E-ink Tablet Lets Hackers Install Rootkit & Gain Full Control

Security researcher Prizm Labs has discovered a serious flaw in the SuperNote A6 X2 Nomad, a well-known 7.8-inch E-Ink tablet made by Ratta Software.

The flaw, now assigned CVE-2025-32409, could allow a malicious attacker on the same network to fully compromise the device without any user interaction, potentially installing a rootkit that grants complete control.

The discovery, detailed technical analysis highlights significant security oversights in the tablet’s design, raising concerns for users who rely on the device for note-taking and academic work.

A Hacker’s Curiosity Sparks Discovery

Researcher launched an initial Nmap scan revealed an open port 60002 running an unidentified service, prompting further investigation.

By downloading an unencrypted firmware image from Ratta Software’s update page, Maginnes was able to dissect the tablet’s software. The investigation zeroed in on the SuperNoteLauncher.apk, which contained references to the mysterious port.

Using reverse-engineering tools like jadx, Maginnes traced the port to a custom HTTP server embedded in the app, designed to handle device-to-device file sharing over Wi-Fi.

A Chain of Exploitable Flaws

The server on port 60002 was found to process custom HTTP headers, enabling unauthenticated file uploads to the device’s INBOX directory.

Maginnes tested the system’s limits by attempting a path traversal attack, appending “dot-dot-slashes” (e.g., ../../../../sdcard/EXPORT/testfile.txt) to the file path.

The attack succeeded, allowing files to be written to the EXPORT directory, which is accessible via the tablet’s user interface.

However, the exploit hit a snag: the server appended a “(1)” to filenames if a file already existed, resulting in names like update(1).zip.

This was problematic because the tablet’s firmware update process, which scans the EXPORT directory for updates, required a file named exactly update.zip to trigger an installation.

Turning a Misconfiguration Into a Full-Blown Exploit

Researcher devised an ingenious workaround by exploiting the server’s multi-threaded nature and the time it takes to transfer large files. The tablet’s firmware update files are typically 1.1GB, meaning uploads are slow.

By sending a small “dummy” file named update.zip followed immediately by a malicious update.zip containing a backdoor, Maginnes manipulated the server’s file-handling logic.

The dummy file completed its transfer first, freeing up the update.zip name just in time for the malicious file to claim it during the copy process.

The malicious firmware was signed using publicly available debug keys, a flaw carried over from earlier SuperNote models, as noted in prior research.

According to the report, These keys, combined with an unlocked bootloader, allowed the backdoored firmware to pass verification. Once in the EXPORT directory, the firmware would install automatically during a hotplug event (e.g., connecting a USB-C cable) or a reboot.

While users receive an opt-out prompt during a hotplug event, the update installs after 30 seconds unless manually canceled—a low barrier for an unsuspecting user.

Crafting the Attack

To create the malicious firmware, Maginnes used a flashable Android rootkit and a simple C-based reverse shell payload. Repackaging the firmware required Multi Image Kitchen, though compatibility issues with modern Java Development Kits (JDKs) posed a challenge.

Once installed, the rootkit granted full control over the device, potentially exposing sensitive user data like notes, documents, or academic papers.

Implications and Response

This 0-click remote code execution (RCE) vulnerability underscores the risks of unauthenticated network services and lax firmware security in IoT devices. An attacker on the same Wi-Fi network such as in a coffee shop, library, or office could silently compromise a SuperNote Nomad without the user’s knowledge.

The use of outdated debug keys and an unlocked bootloader further amplifies the severity of the issue.

Ratta Software has not yet issued a public statement regarding the vulnerability. Users are advised to disable Wi-Fi on their SuperNote Nomad when not in use and avoid connecting to untrusted networks until a patch is released.

Maginnes disclosed the issue responsibly, and the assignment of a CVE number suggests that a fix may be in progress.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Security News Updates!

The post 0-Click RCE in the SuperNote Nomad E-ink Tablet Lets Hackers Install Rootkit & Gain Full Control appeared first on Cyber Security News.