CVE-2025-32409

HIGH

Ratta SuperNote A6 X2 Nomad <December 2024 - RCE

Title source: llm

Description

Ratta SuperNote A6 X2 Nomad before December 2024 allows remote code execution because an arbitrary firmware image (signed with debug keys) can be sent to TCP port 60002, and placed into the correct image-update location as a consequence of both directory traversal and unintended handling of concurrency.

References (1)

[Various Sources] https://www.prizmlabs.io/post/remote-rootkits-uncovering-a-0-click-rce-in-the-supernote-nomad-e-ink-tablet

Scores

CVSS v3 8.1

EPSS 0.0233

EPSS Percentile 84.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-23

Status published

Products (1)

Ratta/SuperNote A6 X2 Nomad < December 2024

Published Apr 07, 2025

Tracked Since Feb 18, 2026