Critical IXON VPN Vulnerabilities Let Attackers Gain Access to Windows & Linux Systems

A recent security assessment by Shelltrail has uncovered three critical vulnerabilities in the IXON VPN client, potentially allowing attackers to escalate privileges on both Windows and Linux systems.

Identified as CVE-2025-ZZZ-01, CVE-2025-ZZZ-02, and CVE-2025-ZZZ-03, these flaws expose users to local privilege escalation (LPE) risks, with one additional impact currently undisclosed.

CVE IDs are pending due to funding constraints and a backlog at MITRE, but updates will follow once assigned.

IXON, a Dutch provider of industrial remote access solutions, offers a cloud-based VPN service requiring a physical device connected via Ethernet or mobile data.

Users access a cloud portal at https://ixon.cloud to establish secure VPN connections to local networks.

The IXON VPN client, a proprietary software downloaded from the portal, is essential for connectivity and runs a local web server on https://localhost:9250, operating as a root-level systemd service on Linux and as NT Authority\SYSTEM on Windows.

Vulnerability Details

CVE-2025-ZZZ-01 (Undisclosed)

Details of this vulnerability remain confidential until IXON releases a public fix, as its exploitation could require significant configuration changes. Shelltrail has opted against premature disclosure to avoid irresponsible exposure, though IXON has been notified.

CVE-2025-ZZZ-02:

Linux Local Privilege Escalation On Linux, the VPN client temporarily stores an OpenVPN configuration file in the predictable /tmp/vpn_client_openvpn_configuration.ovpn location.

Shelltrail researchers discovered that an attacker could stall the VPN client and inject a malicious OpenVPN configuration by creating a named pipe (FIFO) at this path using the mkfifo command.

This configuration can include commands like tls-verify with script-security 2, enabling root-level code execution. The attack requires a valid VPN connection to trigger script execution, a limitation noted in prior OpenVPN discussions.

CVE-2025-ZZZ-03:

Windows Local Privilege Escalation On Windows, the VPN client similarly stores its OpenVPN configuration in C:\Windows\Temp, a directory where standard users can create files and folders with full permissions.

By exploiting a race condition, attackers can use a PowerShell script to repeatedly overwrite the temporary configuration file with a malicious version, achieving SYSTEM-level code execution.

Unlike Linux, this method does not require a successful VPN connection, making it particularly potent.

The vulnerabilities stem from the IXON VPN client’s interaction with the cloud portal. When a user initiates a VPN connection, the browser sends an XHR request containing authentication tokens and device identifiers to the local web server.

This server forwards the request to https://ixon.cloud, appending local configuration details and receiving an OpenVPN configuration file. The insecure handling of this file on disk creates the opportunity for privilege escalation.

IXON’s Response and Mitigation

IXON has been commended for its prompt response, addressing the privilege escalation vulnerabilities in version 1.4.4 of the VPN client.

The fix relocates the temporary OpenVPN configuration to a directory accessible only by high-privilege users, neutralizing the exploits.

The undisclosed vulnerability (CVE-2025-ZZZ-01) awaits resolution, with IXON actively working on a solution. Users are urged to upgrade to version 1.4.4 or later, as detailed in IXON’s security advisory (ADV-2025-03-17) at https://support.ixon.cloud.

Industrial systems relying on IXON’s VPN for remote access are particularly vulnerable, given the potential for attackers to gain root or SYSTEM access.

As industrial cybersecurity threats evolve, this discovery underscores the importance of rigorous security assessments for VPN solutions. Stay tuned for updates on CVE assignments and further disclosures.

Are you from the SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

The post Critical IXON VPN Vulnerabilities Let Attackers Gain Access to Windows & Linux Systems appeared first on Cyber Security News.