IXON VPN Client Vulnerability Allows Privilege Escalation for Attackers

A critical security vulnerability in IXON’s widely used VPN client has exposed Windows, Linux, and macOS systems to local privilege escalation attacks, enabling non-privileged users to gain root or SYSTEM-level access.

Designated as CVE-2025-26168 and CVE-2025-26169, these flaws affect versions 1.4.3 and earlier of the software, posing severe risks to industrial, enterprise, and managed service provider networks reliant on IXON’s remote access solutions.

Researchers Andreas Vikerup and Dan Rosenqvist of Shelltrail disclosed the issue, which leverages insecure handling of temporary configuration files to execute arbitrary code with elevated privileges.

IXON has released patched versions (1.4.4+) and urges immediate deployment to mitigate exploitation risks.

The vulnerability stems from improper handling of OpenVPN configuration files within the IXON VPN Client’s connection workflow.

When initiating a VPN connection, the client temporarily stores configuration data in a world-writable directory accessible to all users.

Attackers can exploit this by deploying a race condition attack: replacing the legitimate configuration file with a malicious version containing arbitrary commands before the client processes it.

This exploit chain bypasses standard privilege controls because the VPN client executes configuration files with elevated permissions.

On Windows systems, this grants SYSTEM privileges, while Linux and macOS implementations allow root-level access.

The attack requires no user interaction beyond local system access, making it particularly dangerous in shared or multi-user environments like manufacturing facilities or MSP networks.

The flaw’s technical roots lie in two key failures:

1. Insecure temporary storage: The client writes sensitive configuration data to /tmp/vpn_config.ovpn on Unix-like systems and C:\ProgramData\IXON\vpn_config.ovpn on Windows without proper access controls.
2. Absence of cryptographic validation: Configuration files lack digital signatures, enabling tampering without detection.

With a CVSS v3.1 score of 8.1 (High), the vulnerability’s impact extends beyond individual devices due to potential lateral movement across VPN-connected networks.

Patch Deployment and Mitigation Strategies

IXON released version 1.4.4 to address these flaws through fundamental architectural changes.

The update relocates configuration files to secure, user-specific directories and implements signature verification to prevent unauthorized modifications.

For Linux systems, the patch enforces LD_LIBRARY_PATH hardening to block library hijacking attempts that could accompany configuration exploits.

Organizations must follow a structured update process:

• Windows/macOS: Download the installer from IXON’s portal and execute with administrative rights.
• Linux: Extract the tarball (tar -xzf vpn_client_x64.tar.gz), then run sudo ./install from the decompressed directory.

Post-installation verification requires checking the client version via IXON’s Fleet Manager portal.

Administrators should also monitor for residual malicious configuration files in previously vulnerable directories.

Browser restarts are mandatory to fully implement security enhancements in the updated client.

Notably, the patch does not automatically remove existing vulnerable installations. Organizations must proactively uninstall older versions before deploying 1.4.4+ to eliminate attack vectors.

Organizational Response Protocols

The exploitation implications are severe: compromised VPN clients could enable attackers to establish persistent backdoors, intercept encrypted traffic, or pivot to industrial control systems in manufacturing environments.

IXON’s advisory emphasizes that unpatched systems face immediate operational threats, particularly in critical infrastructure sectors.

Security teams should implement these urgent measures:

1. Prioritize patch deployment: All endpoints with IXON VPN Client ≤1.4.3 require immediate updating.
2. Enforce least privilege: Restrict local user access to systems running the VPN client.
3. Monitor configuration directories: Deploy file integrity monitoring on /tmp, C:\ProgramData\IXON, and user-specific config storage paths.
4. Audit VPN logs: Search for anomalous connection attempts or unexpected configuration reload events.

For organizations unable to immediately patch, temporary mitigations include disabling the VPN client service and restricting write permissions to configuration directories.

However, IXON stresses these are stopgap measures rather than permanent solutions.

The discovery underscores broader challenges in secure privilege management for VPN technologies.

As remote access tools become increasingly embedded in operational technology (OT) environments, vendors must implement rigorous file-handling safeguards and adopt zero-trust principles for configuration integrity.