Uncovering a 0-Click RCE in the SuperNote Nomad E-Ink Tablet

Overview: Last year, popular E-Ink tablet vendor Ratta Software released the SuperNote A6 X2 Nomad - a 7.8 inch tablet running Android 11 under the hood. As productivity nerds, we picked one up in July of 2024 with the goal of using it for its intended purpose: note taking and academic paper reading. However, as hackers at heart, it took all of 24-hours before we abandoned that idea entirely and decided to poke at it. What follows is a blog post detailing how we were able to chain a vulnerability and a handful of misconfigurations into a remotely installable, 0-click rootkit. A malicious attacker on the same network as the victim could fully compromise the target device without any user-interaction. EDIT: This issue was assigned to CVE-2025-32409 after publication. Recon: This research kicked off with an innocent Nmap scan, just to see if anything interesting was listening on the device while in its default configuration. Lo and behold, there was one result which stood ... Read full article.