🟢 CVE-2025-47827

IGEL OS Secure Boot bypass vulnerability that requires physical access to mount crafted root filesystem from unverified SquashFS image. This is a local boot-time security control bypass, not a network-exploitable vulnerability.

← Back to Overview
LOW_RISK
Risk Level
4.6
CVSS Score
PHYSICAL
Attack Vector
Persistence
ATT&CK Tactic
T1543 — Create or Modify System Process
ATT&CK Technique
LOW
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: OTHER

CVE Published: 2025-06-05

Added to CISA KEV: 2025-10-14 131 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2025-47827 is a security vulnerability involving a Secure Boot bypass in the Linux-based IGEL OS [3] [5].

Vulnerability Overview
  • Nature of Vulnerability: The issue stems from the `igel-flash-driver` module, which fails to properly verify cryptographic signatures during the boot process [3] [7].
  • Impact: Successful exploitation allows an attacker to bypass Secure Boot protections [6]. This can lead to the installation of undetected bootkits or kernel-level rootkits, granting the attacker persistent, high-level control over the affected device [1].
Exploitation Requirements
  • Access Level: Exploitation generally requires physical access to the target device [6].
  • User Interaction: No specific user interaction is typically required once physical access is obtained, as the vulnerability is triggered during the boot sequence.
Exploitation and Threat Actor Usage
  • Active Exploitation: While some reports have categorized it alongside other vulnerabilities discussed during patch cycles, the primary context for this CVE is its impact on legacy, unmaintained versions of IGEL OS [5] [2].
  • PoC Availability: A proof-of-concept (PoC) and vulnerability report have been made publicly available by researchers (e.g., on GitHub) to demonstrate the bypass mechanism [1].
  • Campaigns: There is no widespread evidence linking this specific CVE to major ransomware campaigns or targeted nation-state attacks; it is largely viewed as a research-driven finding concerning the fragility of boot-chain trust in legacy software [4].
Affected Versions and Mitigation
  • Affected Versions: The vulnerability primarily affects IGEL OS version 10 and earlier versions [2].
  • Status: IGEL OS 10 is no longer maintained [2]. Users are advised to upgrade to supported versions, such as IGEL OS 11 or 12, which are not affected by this specific flaw [2].

Sources

  1. PoC and vulnerability report for CVE-2025-47827. - GitHub

    A Secure Boot bypass exploit could lead to the development of an undetected bootkit/kernel-level rootkit, in turn leading to multiple implications. ... PoC and vulnerability report for CVE-2025-47827. Contribute to Zedeldi/CVE-2025-47827 development by creating an account on GitHub.

  2. ISN 2025-22: Statement on CVE-2025-47827 in IGEL OS 10

    The researcher Zack Didcott has found an issue in IGEL OS version 10, which is no longer maintained. The current versions OS 11 and OS 12 are ...

  3. CVE-2025-47827 Detail - NVD

    Description. In IGEL OS before 11, Secure Boot can be bypassed because the igel-flash-driver module improperly verifies a cryptographic signature. ... Secure .gov websites use HTTPS A lock () or https:// means you've safely connected to the .gov website. Share sensitive information only on official,…

  4. CVE-2025-47827: IGEL OS 10 Secure Boot Bypass — Remediation Guide

    CVE‑2025‑47827 is an instructive case study in the fragility of transitive trust across boot‑chain components. A relatively focused kernel‑level bug in a deprecated OS was sufficient to create a full Secure Boot bypass because of how keys and signing authorities are trusted by default on contemporar…

  5. Microsoft patches three zero-days actively exploited by attackers

    CVE-2025-47827 affects the Linux-based IGEL OS (before version 11) and allows attackers to bypass the Secure Boot process. IGEL OS is most ...

  6. CVE-2025-47827 - Exploits & Severity - Feedly

    An attacker with physical access to the device could potentially bypass Secure Boot protections. This could allow unauthorized modifications to ...

  7. Microsoft Windows: CVE-2025-47827 - Rapid7 Vulnerability Database

    Description. In IGEL OS before 11, Secure Boot can be bypassed because the igel-flash-driver module improperly verifies a cryptographic signature. Ultimately, a ...

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed