Shelltrail Uncovers IXON VPN Flaws Exposing Windows & Linux Systems to Hackers

Three major flaws in IXON’s VPN software could let hackers take control of industrial systems with just a few lines of code.

Cybersecurity firm Shelltrail recently disclosed vulnerabilities in the IXON VPN client that allow local privilege escalation (LPE) on both Windows and Linux platforms.

Two of the bugs, now identified as "CVE-2025-ZZZ-02" and "CVE-2025-ZZZ-03," stem from how the VPN client handles temporary configuration files.

On Linux, the client saves OpenVPN configs to a predictable file in /tmp, which attackers can exploit by injecting malicious code using a simple named pipe.

On Windows, a race condition in the C:\Windows\Temp folder enables attackers to overwrite temp files and execute arbitrary code with SYSTEM-level access — no VPN connection even required.

Shelltrail is withholding technical details of a third, still-unpatched vulnerability (CVE-2025-ZZZ-01) to prevent misuse.

MITRE has yet to assign official CVE numbers due to a backlog.

Even well-designed interfaces can mask deeper architectural flaws, particularly in how systems handle file permissions and temporary storage.

It shows the critical need for cybersecurity firms to conduct deep system-level audits.

Ammar Naeem, marketing strategist at AstrillVPN, warns that even minor bugs in remote access tools can pose major security risks for organizations.

"Small software bugs in remote access tools can have outsized consequences because these tools act as gateways to critical systems and data. Even seemingly minor flaws can be exploited by attackers to gain unauthorized access, bypass security controls, or elevate privileges — essentially handing them the keys to the network.

Since many organizations rely on the same popular remote access software, a single vulnerability can put thousands of businesses at risk simultaneously. These bugs can lead to data breaches, service disruptions, and even large-scale attacks like ransomware or cryptojacking."

This is especially true within automation-heavy industries where local services and user privilege boundaries are often overlooked.

What Went Wrong?

IXON is a Dutch provider of remote access solutions for industrial systems.

Its VPN client connects devices through a cloud portal and runs a local web server (https://localhost:9250) with elevated system privileges.

The vulnerabilities occur when the client fetches OpenVPN config files after a user initiates a connection.

This data exchange is done via an XHR request from the browser to the local server, which forwards it to the IXON cloud that receives the final configuration.

Because these files are written to disk with loose permissions, attackers with access to the same machine can hijack the process and escalate privileges.

In response, IXON’s latest patch now stores the configuration files in restricted directories, limiting access to high-privilege users only.

Customers have been urged to update to version 1.4.4 and monitor further disclosures from IXON’s advisory page.

For industrial operations relying on always-on remote access, securing local services is just as critical as encrypting traffic.

As Aviv Besinsky, director of solutions architecture at Bright Data points out, you don’t have to sit idly while waiting for that patch. Implementing simple steps today can keep your operations running smoothly.

“After updating to the 1.4.4 patch, keep any potential fallout small by carving your VPN into its own little bubble. Ensure only the critical machines get access. Turn on real‑time alerts so you spot funny business before it spirals into a breach. Bring in a trusted security partner to handle audits and compliance checks.

Your team can focus on core projects instead of paperwork. And don’t leave your C‑suite in the dark. A quick, regular update keeps everyone calm and ready, instead of scrambling if something pops up.”

IXON's case shows how small oversights in local file handling can undermine the security of entire networks.

Recently, Bybit and other major financial firms were victims of targeted cyberattacks, losing millions in the process.