Security researcher Prizm Labs has discovered a serious flaw in the [SuperNote A6 X2 Nomad](https://supernote.com/products/supernote-nomad?srsltid=AfmBOopLgaV2qunWCtee8RMx9v9JFYRiRaqOoXDV5_o4zJyKxCUbrikG), a well-known 7.8-inch E-Ink tablet made by Ratta Software.The flaw, now assigned [CVE-2025-32409](https://nvd.nist.gov/vuln/detail/CVE-2025-32409), could allow a malicious attacker on the same network to fully compromise the device without any user interaction, potentially installing a rootkit that grants complete control.The discovery, detailed technical analysis highlights significant security oversights in the tablet’s design, raising concerns for users who rely on the device for note-taking and academic work.**A Hacker’s Curiosity Sparks Discovery**—————————————–Researcher launched an initial Nmap scan revealed an open port 60002 running an unidentified service, prompting further investigation. By downloading an unencrypted firmware image from Ratta Software’s update page, Maginnes was able to dissect the tablet’s software. The investigation zeroed in on the *SuperNoteLauncher.apk*, which contained references to the mysterious port.Using reverse-engineering tools like *jadx*, Maginnes traced the port to a custom HTTP server embedded in the app, designed to handle device-to-device file sharing over Wi-Fi.**A Chain of Exploitable Flaws**——————————–The server on port 60002 was found to process custom HTTP headers, enabling unauthenticated file uploads to the device’s *INBOX* directory.
Maginnes tested the system’s limits by attempting a path traversal attack, appending ‘dot-dot-slashes’ (e.g., *../../../../sdcard/EXPORT/testfile.txt*) to the file path.The attack succeeded, allowing files to be written to the *EXPORT* directory, which is accessible via the tablet’s user interface.However, the exploit hit a snag: the server appended a ‘(1)’ to filenames if a file already existed, resulting in names like *update(1).zip*.This was problematic because the tablet’s firmware update process, which scans the *EXPORT* directory for updates, required a file named exactly *update.zip* to trigger an installation.**Turning a Misconfiguration Into a Full-Blown Exploit**——————————————————–Researcher devised an ingenious workaround by exploiting the server’s multi-threaded nature and the time it takes to transfer large files. The tablet’s firmware update files are typically 1.1GB, meaning uploads are slow.By sending a small ‘dummy’ file named *update.zip* followed immediately by a malicious *update.zip* containing a backdoor, Maginnes manipulated the server’s file-handling logic.The dummy file completed its transfer first, freeing up the *update.zip* name just in time for the malicious file to claim it during the copy process.The malicious firmware was signed using publicly available debug keys, a flaw carried over from earlier SuperNote models, as noted in prior research.According to the [report](https://www.prizmlabs.io/post/remote-rootkits-uncovering-a-0-click-rce-in-the-supernote-nomad-e-ink-tablet), These keys, combined with an unlocked bootloader, allowed the backdoored firmware to pass verification. Once in the *EXPORT* directory, the firmware would install automatically during a hotplug event (e.g., connecting a USB-C cable) or a reboot.While users receive an opt-out prompt during a hotplug event, the update installs after 30 seconds unless manually canceled—a low barrier for an unsuspecting user.**Crafting the Attack**———————–To create the malicious firmware, Maginnes used a flashable Android rootkit and a simple C-based reverse shell payload. Repackaging the firmware required *Multi Image Kitchen*, though compatibility issues with modern Java Development Kits (JDKs) posed a challenge.Once installed, the rootkit granted full control over the device, potentially exposing sensitive user data like notes, documents, or academic papers.**Implications and Response**—————————–This 0-click remote code execution (RCE) vulnerability underscores the risks of unauthenticated network services and lax firmware security in IoT devices. An attacker on the same Wi-Fi network such as in a coffee shop, library, or office could silently compromise a SuperNote Nomad without the user’s knowledge.The use of outdated debug keys and an unlocked bootloader further amplifies the severity of the issue.Ratta Software has not yet issued a public statement regarding the vulnerability. Users are advised to disable Wi-Fi on their SuperNote Nomad when not in use and avoid connecting to untrusted networks until a patch is released.Maginnes disclosed the issue responsibly, and the assignment of a CVE number suggests that a fix may be in progress.**Find this News Interesting! Follow us on [Google News](https://news.google.com/publications/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&gl=IN&ceid=IN:en), [LinkedIn](https://www.linkedin.com/company/cybersecurity-news/), -& [X](https://x.com/The_Cyber_News) to Get Instant Security News Updates!**The post [0-Click RCE in the SuperNote Nomad E-ink Tablet Lets Hackers Install Rootkit -& Gain Full Control](https://cybersecuritynews.com/0-click-rce-in-the-supernote-nomad-e-ink-tablet/) appeared first on [Cyber Security News](https://cybersecuritynews.com).
Related Tags:
NAICS: 54 – Professional
Scientific
Technical Services
NAICS: 335 – Electrical Equipment
Appliance
Component Manufacturing
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 33 – Manufacturing – Metal
Electronics And Other
Blog: Cybersecurity News
Software Discovery: Security Software Discovery
Software Discovery
Exploitation for Client Execution
Network Service Discovery
Associated Indicators: