A series of critical vulnerabilities have been discovered in the IXON VPN Client, a widely used solution for secure remote access to industrial networks.
The flaws, tracked as CVE-2025-26168 and CVE-2025-26169, enable local attackers to escalate privileges to root on Linux and SYSTEM on Windows, threatening the integrity and security of operational technology environments.
Technical Background
The IXON VPN Client is a proprietary application provided by the Dutch company IXON, designed to facilitate secure connections between remote users and industrial devices via a cloud-based portal.
The client operates as a privileged service-running as root on Linux and as NT Authority\SYSTEM on Windows-and manages VPN sessions by temporarily storing OpenVPN configuration files on disk during connection setup.
Vulnerability Details
The vulnerabilities stem from insecure handling of temporary OpenVPN configuration files:
- Linux (CVE-2025-26168):
The client writes the configuration file to a predictable, world-writable path: text/tmp/vpn_client_openvpn_configuration.ovpnAn attacker with local access can pre-create a named pipe (FIFO) at this location using themkfifocommand: bashmkfifo /tmp/vpn_client_openvpn_configuration.ovpnWhen the VPN client attempts to write to this pipe, it stalls, allowing the attacker to inject a malicious OpenVPN configuration containing directives such as: textscript-security 2 tls-verify /tmp/malicious.shIf the VPN connection succeeds, OpenVPN executes the attacker’s script as root, resulting in local privilege escalation. - Windows (CVE-2025-26169):
The client stores its configuration in: textC:\Windows\TempAlthough standard users cannot list this directory, they can create files and folders within it, gaining full permissions over their creations. - By running a PowerShell loop as a low-privileged user to continuously copy a malicious configuration file to the expected location, an attacker can exploit a race condition and achieve arbitrary code execution with SYSTEM privileges: powershell
while ($true) { Copy-Item .\malicious.ovpn C:\Windows\Temp\vpn_client_openvpn_configuration.ovpn }This attack does not require a successful VPN connection, making it especially potent.
Vendor Response and Mitigation
IXON responded promptly, releasing version 1.4.4 of the VPN Client, which addresses these vulnerabilities by relocating temporary configuration files to directories accessible only by privileged users and securing library loading paths.
Users are strongly advised to:
- Download the patched client from https://portal.ixon.cloud/fleet-manager/tools
- For Linux, install using: bash
tar -xzf vpn_client_x64.tar.gz cd vpn_client_x64 sudo ./install - Verify the update by ensuring the client version is at least 1.4.4 via the portal1.
Failure to patch leaves systems exposed to local privilege escalation, enabling attackers to gain full system control-posing a severe operational and security risk.
Broader Implications
These findings, credited to Andreas Vikerup and Dan Rosenqvist at Shelltrail, highlight the critical importance of secure file management and privilege separation in security-sensitive software.
Industrial operators using IXON’s solutions should prioritize immediate updates and review access controls to mitigate exploitation risks1.
CVSS Score: 8.1 (High)
References:
The IXON VPN Client vulnerabilities exemplify how improper handling of temporary files can undermine system security, particularly in environments where remote access is critical.
Organizations must act swiftly to patch affected systems and reinforce best practices in software design and deployment.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=The flaws, tracked as CVE-2025-26168 and CVE-2025-26169, enable local attackers to escalate privileges to root on Linux and SYSTEM on Windows){kind=link}