Three critical vulnerabilities have been identified in the IXON VPN client software, exposing both Linux and Windows installations to local privilege escalation attacks.
The flaws, which are currently being tracked under internal advisories due to a CVE allocation backlog, reveal severe weaknesses in temporary file management and configuration handling, allowing local attackers to execute code with elevated privileges.
Technical Overview of the Vulnerabilities
The IXON VPN client, a proprietary solution provided by Dutch company IXON for secure remote access to industrial systems, relies on a locally installed binary that runs as a privileged service-root on Linux and SYSTEM on Windows.
To establish a VPN session, the client interacts with the IXON cloud portal and manages VPN configuration data, which is temporarily stored on disk before connection initiation.
According to the Report, Shelltrail’s analysis during a security assessment revealed that on Linux systems, the client writes the OpenVPN configuration file to /tmp/vpn_client_openvpn_configuration.ovpn, a path that was found to be predictable and world-accessible.
OpenVPN’s ability to execute scripts specified in its configuration-such as through the tls-verify or up directives-presents an opportunity for exploitation if an attacker can manipulate the configuration file.
The most notable attack leverages a named pipe (FIFO) placed in the expected configuration path.
By pre-creating a FIFO at /tmp/vpn_client_openvpn_configuration.ovpn, a non-privileged user can stall the privileged client process, then inject a malicious configuration containing script directives.
vpn_client runs as a serviceOnce the VPN client writes to and reads from the pipe, the attacker’s script is executed with root privileges, achieving local privilege escalation.
This exploit is constrained by the requirement that the resulting VPN connection must succeed, as script execution is contingent upon connection establishment.
A parallel vulnerability exists in the Windows version of the IXON VPN client, which stores temporary configuration files in C:\Windows\Temp\.
Although permissions on this directory limit listing access for non-privileged users, they retain the right to create files or directories within it.
Through the use of a race condition-such as a rapid loop to copy a malicious configuration file into a predictable location-a local attacker can replace the legitimate file and trigger execution of arbitrary code with SYSTEM privileges during the VPN connection process.
Remediation and Vendor Response
IXON has acknowledged these vulnerabilities and responded promptly, updating their client software to ensure that temporary OpenVPN configuration files are now stored in locations only accessible by privileged users.
Customers are urged to upgrade to version 1.4.4 or later of the VPN client to mitigate these privilege escalation vectors.
The company is tracking the issues internally under the advisory ID ADV-2025-03-17, and additional details are available on their support portal.
One of the vulnerabilities, currently redacted from public disclosure, remains under review as it requires more significant architectural changes for remediation.
IXON is coordinating with the researchers to ensure a responsible release once a fix becomes available.
These findings underscore the risks introduced by improper handling of sensitive temporary files in security-critical software, particularly when interacting with system-level processes on shared-access environments.
Organizations deploying IXON VPN solutions should prioritize applying the latest updates to defend against potential exploitation.
This case further highlights the importance of rigorous privilege separation and secure file management practices in all client-server architectures.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
