Three IXON VPN Client Vulnerabilities let Attackers Escalate Privileges

Security researchers at Shelltrail have discovered three significant vulnerabilities in the IXON VPN client that could allow attackers to escalate privileges on both Windows and Linux systems.

The vulnerabilities, temporarily designated as CVE-2025-ZZZ-01, CVE-2025-ZZZ-02, and CVE-2025-ZZZ-03, affect the widely used VPN solution that provides remote access to industrial systems.

While official CVE IDs have been requested, they have not yet been assigned due to funding limitations and a backlog at MITRE.

The researchers have decided to withhold details about one vulnerability until a fix is available, citing responsible disclosure practices.

Industrial VPN Solution Compromised

IXON, a Dutch company specializing in remote access solutions for industrial systems, provides a cloud-based VPN service that requires users to install a proprietary client on their machines.

The client works in conjunction with physical IXON devices that connect to local networks via Ethernet or mobile data.

During a security assessment, researchers discovered that the IXON VPN client installs a local web server running on https://localhost:9250, which facilitates communication between the cloud portal and the locally installed VPN client.

This communication channel is critical to the operation of the VPN but also introduces security vulnerabilities.

The researchers found that when a user initiates a connection from the IXON cloud portal, an XHR request containing authentication tokens is sent from the browser to the local web service.

The local service then forwards this request to the IXON cloud, appending VPN client configuration details.

In response, the cloud service provides an OpenVPN configuration file which the client uses to establish the connection.

This process, while necessary for functionality, creates potential attack vectors that could be exploited by malicious actors.

Key points of the connection process:

• The user clicks “connect” on a VPN device in the IXON cloud portal.
• An XHR request is sent from the browser to the local web service at https://localhost:9250, including authentication tokens and device identifiers.
• The local web server forwards this request to the IXON cloud, adding local VPN client configuration details.
• The IXON cloud responds with an OpenVPN configuration file (.ovpn).
• The local OpenVPN binary uses this configuration to establish the VPN connection.

Details of one vulnerability (CVE-2025-ZZZ-01) are being withheld at this time, as addressing it requires potentially impactful configuration changes.

The researchers have determined that publishing the vulnerability without a proper fix would be irresponsible, despite IXON being aware of the issue and accepting that it may eventually be disclosed.

Linux Vulnerability Exploits OpenVPN Configuration Process

The second vulnerability (CVE-2025-ZZZ-02) affects Linux systems and exploits how the IXON VPN client handles OpenVPN configurations.

Researchers discovered that during connection establishment, the client temporarily stores the OpenVPN configuration in a predictable location: /tmp/vpn_client_openvpn_configuration.ovpn.

This file is deleted immediately after the connection is established, but the brief window of its existence creates an opportunity for exploitation.

By creating a named pipe (FIFO) at the location where the OpenVPN configuration would be stored, attackers can intercept the configuration process.

When the VPN client attempts to write the configuration to this location, it stalls, waiting for someone to read from the pipe.

At this point, an attacker can write a malicious OpenVPN configuration to the pipe that includes parameters like “script-security 2” and “tls-verify” pointing to a malicious script.

Since the OpenVPN process runs with root privileges (as confirmed by the researchers via system service analysis), this script will execute with those same elevated privileges.

The researchers demonstrated this attack by creating a successful proof-of-concept that executed a script as root when a VPN connection was attempted.

Windows Systems Vulnerable Through Temporary File Manipulation

The third vulnerability (CVE-2025-ZZZ-03) affects Windows systems and exploits similar weaknesses in how the VPN client handles temporary files.

On Windows, the IXON VPN client service runs in the context of NT AuthoritySYSTEM and stores the OpenVPN configuration temporarily in C:WindowsTemp.

Researchers noted several important characteristics of the Windows Temp directory that make this vulnerability possible: while standard users cannot list content in C:WindowsTemp, they can create sub-folders and files there, and the creator of such files gains full permissions over them.

Unlike the Linux version, which researchers exploited using named pipes, the Windows vulnerability appears exploitable through a race condition.

The researchers suggested that a while loop in PowerShell, running as a low-privileged user, could continuously copy a malicious OpenVPN configuration to the predictable file location, potentially resulting in execution of attacker-controlled scripts with SYSTEM privileges.

This vulnerability is particularly concerning as it provides a straightforward method for local users to gain the highest level of system privileges on Windows machines running the IXON VPN client.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!