CVE-2025-32409
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on Ratta SuperNote A6 X2 Nomad devices by sending specially crafted firmware images to TCP port 60002. The attack combines directory traversal and concurrency issues to place malicious firmware in the update location. All SuperNote A6 X2 Nomad devices before December 2024 firmware are affected.
💻 Affected Systems
- Ratta SuperNote A6 X2 Nomad
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise allowing persistent rootkit installation, data theft, device bricking, and use as a pivot point in networks.
Likely Case
Remote code execution leading to data exfiltration, device manipulation, and potential lateral movement in connected networks.
If Mitigated
Limited impact with proper network segmentation and firewall rules blocking port 60002.
🎯 Exploit Status
Exploit requires sending specially crafted firmware image to port 60002; no authentication needed
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: December 2024 firmware update
Vendor Advisory: https://www.prizmlabs.io/post/remote-rootkits-uncovering-a-0-click-rce-in-the-supernote-nomad-e-ink-tablet
Restart Required: Yes
Instructions:
1. Connect SuperNote to WiFi. 2. Go to Settings > System > System Update. 3. Check for and install December 2024 firmware update. 4. Restart device after installation.
🔧 Temporary Workarounds
Block TCP port 60002
linuxPrevent external access to the vulnerable firmware update service
iptables -A INPUT -p tcp --dport 60002 -j DROP
Disable WiFi when not needed
allReduce attack surface by disabling wireless connectivity
🧯 If You Can't Patch
- Isolate SuperNote devices on separate VLAN with strict firewall rules
- Implement network monitoring for connections to TCP port 60002
🔍 How to Verify
Check if Vulnerable:
Check firmware version in Settings > System > About Device; if version predates December 2024, device is vulnerableCheck Version:
Not applicable - check via device GUIVerify Fix Applied:
Confirm firmware version shows December 2024 or later in Settings > System > About Device📡 Detection & Monitoring
Log Indicators:
- Unexpected connections to port 60002
- Firmware update attempts from unknown sources
Network Indicators:
- TCP connections to port 60002 from external IPs
- Large file transfers to port 60002
SIEM Query:
destination_port=60002 AND protocol=TCP AND (bytes_sent>1000000 OR bytes_received>1000000)