Vulnerabilities in IXON VPN Software Put Windows and Linux Systems at Risk

Three critical vulnerabilities have been identified in the IXON VPN client application, enabling attackers to gain high-level privileges (root or SYSTEM) on user systems and potentially take full control.

IXON, a Netherlands-based company, provides remote connectivity and management services for the industrial sector. Through its ixon.cloud portal, IXON offers VPN connectivity. Users must download the IXON VPN client application to establish a connection. This application:

  • Runs with root privileges on Linux systems,
  • Operates with SYSTEM privileges on Windows systems.

The client software launches a local web server (https://localhost:9250) on the user’s computer to facilitate VPN connections.

Details of the Discovered Vulnerabilities

Shelltrail researchers identified three major vulnerabilities:

1. CVE-2025-ZZZ-01 — Confidential Vulnerability

Detailed information about this vulnerability is currently withheld to ensure user safety and will be disclosed after IXON releases an official fix. Shelltrail has delayed public disclosure to prioritize user security.

2. CVE-2025-ZZZ-02 — Local Privilege Escalation (LPE) on Linux

Issue:

  • The VPN client on Linux stores a temporary OpenVPN configuration file at /tmp/vpn_client_openvpn_configuration.ovpn.
  • This location is publicly accessible and predictable, allowing an attacker to create a FIFO (named pipe) using the mkfifo command and substitute a malicious configuration file.
  • The VPN software reads this file and executes embedded malicious commands with root privileges.

Attack Conditions:

  • A legitimate VPN connection is required for the attack to succeed.
  • Malicious scripts are executed via OpenVPN parameters (e.g., tls-verify and script-security 2) in the fake configuration.

3. CVE-2025-ZZZ-03 — Local Privilege Escalation (LPE) on Windows

Issue:

  • On Windows, the temporary OpenVPN configuration file is stored in C:\Windows\Temp.
  • Regular users have permissions to create and modify files in this directory.

Attack Scenario:

  • An attacker uses PowerShell to continuously replace the file with a malicious version (exploiting a race condition).
  • The VPN software reads the malicious file, enabling the attacker to execute code with SYSTEM privileges.

Key Note:

  • Unlike the Linux attack, this method does not require an active VPN connection, making it even more dangerous.

Technical Context of the Vulnerabilities

The IXON VPN client interacts with the ixon.cloud portal, sending user credentials and device identifiers to the local web server. This server retrieves the OpenVPN configuration file and temporarily stores it on the computer. Inadequate security mechanisms for storing this file led to the vulnerabilities.

Actions Taken by IXON

  • Starting with version 1.4.4, the IXON VPN client application addresses these vulnerabilities.
  • Temporary configuration files are now stored in locations accessible only to high-privileged users.
  • Work is ongoing to resolve the confidential CVE-2025-ZZZ-01 vulnerability.

📢 Recommendations for Users

  • Immediately update the IXON VPN client to version 1.4.4 or higher.
  • Review the official security advisory: [link to advisory, if available].

Why This Matters

The vulnerabilities in the IXON VPN client pose a severe threat to industrial systems. Attackers could:

  • Gain root or SYSTEM privileges,
  • Take complete control of the system,
  • Steal sensitive data,
  • Covertly deploy malicious software.

This incident underscores the critical need for thorough vetting and regular updates of VPN services used in industrial systems.

Cybersecurity is an integral part of technological progress!