Security researcher Prizm Labs has uncovered a critical vulnerability in the SuperNote A6 X2 Nomad, a 7.8-inch E-Ink tablet developed by Ratta Software. This flaw, designated as CVE-2025-32409, enables attackers on the same network to fully compromise the device without any user interaction, potentially installing a rootkit that grants complete control.
Discovery of the Vulnerability
The investigation began when the researcher conducted an Nmap scan, revealing an open port 60002 running an unidentified service on the SuperNote Nomad. This prompted further analysis, leading to the download and examination of the tablet’s unencrypted firmware from Ratta Software’s update page. Within the SuperNoteLauncher.apk, references to port 60002 were found, indicating a custom HTTP server designed for device-to-device file sharing over Wi-Fi.
Exploiting the Flaw
The server on port 60002 processes custom HTTP headers, allowing unauthenticated file uploads to the device’s INBOX directory. By employing a path traversal attack—using sequences like ../../—the researcher successfully wrote files to the EXPORT directory, accessible via the tablet’s user interface. However, the server appends (1) to filenames if a file with the same name already exists, complicating the exploitation process.
Achieving Full Device Compromise
To overcome this obstacle, the researcher exploited the server’s multi-threaded nature and the time required to transfer large files. By first uploading a small dummy file named update.zip, followed immediately by a malicious update.zip containing a backdoor, the researcher manipulated the server’s file-handling logic. The dummy file completed its transfer first, freeing up the update.zip name just in time for the malicious file to claim it during the copy process.
The malicious firmware was signed using publicly available debug keys from earlier SuperNote models, combined with an unlocked bootloader, allowing the backdoored firmware to pass verification. Once in the EXPORT directory, the firmware would install automatically during a hotplug event (e.g., connecting a USB-C cable) or a reboot. Users receive an opt-out prompt during a hotplug event, but the update installs after 30 seconds unless manually canceled—a low barrier for an unsuspecting user.
Implications and Recommendations
This vulnerability underscores significant security oversights in the SuperNote Nomad’s design, raising concerns for users who rely on the device for note-taking and academic work. To mitigate the risk, users are advised to:
– Ensure their device firmware is up to date, applying any patches released by Ratta Software.
– Avoid connecting the tablet to untrusted networks.
– Monitor for any unusual device behavior and report anomalies to the manufacturer.
Manufacturers are urged to address such vulnerabilities promptly, enhancing device security to protect users from potential exploits.
