Cyber Resilience

CVE-2025-47827

MediumCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 05 June 2025

Published
05 June 2025
Modified
05 November 2025
KEV Added
14 October 2025
Patch
CVSS Score v3.1 4.6 CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0092 76.4th percentile
Risk Priority 30 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-47827 is a medium-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Microsoft Windows 10 1507. Its CVSS base score is 4.6 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Bootkit (T1542.003); ranked in the top 23.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SI-7 (Software, Firmware, and Information Integrity).

Deeper analysis

In IGEL OS before version 11, Secure Boot can be bypassed due to improper cryptographic signature verification in the igel-flash-driver module. This flaw, tracked under CWE-347, ultimately allows a crafted root filesystem to be mounted from an unverified SquashFS image. The vulnerability carries a CVSS 3.1 score of 4.6 with a physical attack vector.

An attacker with physical access to an affected device can exploit the signature verification weakness to load untrusted filesystem content, bypassing the Secure Boot protections that would otherwise prevent such tampering. The attack requires no authentication or user interaction and results in a high availability impact according to the provided scoring.

Public references, including entries in the Microsoft Security Response Center and CISA's Known Exploited Vulnerabilities catalog, indicate that the issue has been observed in real-world exploitation. No specific patch or mitigation details are provided in the available references.

EU & UK References

Vulnerability details

In IGEL OS before 11, Secure Boot can be bypassed because the igel-flash-driver module improperly verifies a cryptographic signature. Ultimately, a crafted root filesystem can be mounted from an unverified SquashFS image.

CWE(s)
KEV Date Added
14 October 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1542.003 Bootkit Stealth
Adversaries may use bootkits to persist on systems.
T1211 Exploitation for Stealth Stealth
Adversaries may exploit vulnerabilities to evade detection by hiding activity, suppressing logging, or operating within trusted or unmonitored components.
Why these techniques?

Vulnerability enables Secure Boot bypass via improper cryptographic signature verification in igel-flash-driver, allowing crafted root filesystem mount and arbitrary kernel load via kexec, facilitating bootkit deployment (T1067, T1542.003) and exploitation for defense evasion (T1211).

Affected Assets

igel
igel os
≤ 11.01.100
microsoft
windows 10 1507
≤ 10.0.10240.21161 · ≤ 10.0.10240.21161
microsoft
windows 10 1607
≤ 10.0.14393.8519 · ≤ 10.0.14393.8519
microsoft
windows 10 1809
≤ 10.0.17763.7919 · ≤ 10.0.17763.7919
microsoft
windows 10 21h2
≤ 10.0.19044.6456
microsoft
windows 10 22h2
≤ 10.0.19045.6456
microsoft
windows 11 22h2
≤ 10.0.22621.6060
microsoft
windows 11 23h2
≤ 10.0.22631.6060
microsoft
windows 11 24h2
≤ 10.0.26100.6899
microsoft
windows 11 25h2
≤ 10.0.26200.6899
+6 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires cryptographic signing and verification of system components to block loading of unverified SquashFS images during boot.

preventdetect

Mandates integrity verification of software and firmware using cryptographic mechanisms, directly countering the flawed signature check in igel-flash-driver.

prevent

Requires hardware-rooted protections (e.g., Secure Boot enforcement) that would prevent bypass via physical media even if driver verification fails.

References