IRONSMITHINTEL
MEDIUMCVSS4.6
|
Actively Exploited
|CISA KEV|CVE-2025-47827|Auth: none — unauthenticated|Reboot: required|Manual only

IGEL OS Use of a Key Past its Expiration Date Vulnerability (CVE-2025-47827)

IGEL OS contains a use of a key past its expiration date vulnerability that allows for Secure Boot bypass. The igel-flash-driver module improperly verifies a cryptographic signature. Ultimately, a crafted root filesystem can be mounted from an unverified SquashFS image.

Published Jun 5, 2025 · Updated Jun 10, 2026
XLinkedIn
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

An attacker, without authentication, can achieve partial data exposure, complete denial of service or system unavailability. Federal agencies are required to remediate by 2025-11-04 under CISA BOD 22-01.

How the attack worksNo clicks needed

This is a Software Vulnerability (CWE-347) (CWE-347) vulnerability in IGEL IGEL OS. In IGEL OS before 11, Secure Boot can be bypassed because the igel-flash-driver module improperly verifies a cryptographic signature. Ultimately, a crafted root filesystem can be mounted from an unverified SquashFS image. Exploitation requires physical access, low attack complexity, no authentication required, and no user interaction required.

Am I affected?Quick check

Probably yes if any of these apply:

IT Security
Running igel os: v < 11.01.100; windows 10 1507: v < 10.0.10240.21161; windows 10 1607: v < 10.0.14393.8519; windows 10 1809: v < 10.0.17763.7919; windows 10 21h2: v < 10.0.19044.6456; windows 10 22h2: v < 10.0.19045.6456; windows 11 22h2: v < 10.0.22621.6060; windows 11 23h2: v < 10.0.22631.6060; windows 11 24h2: v < 10.0.26100.6899; windows 11 25h2: v < 10.0.26200.6899; windows server 2012: -, r2; windows server 2016: v < 10.0.14393.8519; windows server 2019: v < 10.0.17763.7919; windows server 2022: v < 10.0.20348.4294; windows server 2022 23h2: v < 10.0.25398.1913; windows server 2025: v < 10.0.26100.6899

Affected OS versions

Windows Server 2019Windows Server 2022Windows Server 2025Windows Server 2016Windows Server 2012 R2
Real-world incidentsWhat we've seen

Active exploitation documented in the wild. Threat-research write-up: https://github.com/Zedeldi/CVE-2025-47827

How to patch

Manual remediation steps

Apply the Vendor Patch

This vulnerability is in the CISA Known Exploited Vulnerabilities catalog — apply the vendor's security update as soon as possible.

CISA required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

References

    1
    Vendor advisory: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-47827
    1
    NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2025-47827
    1
    CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-47827

Per-OS KB reference

Per-Windows-Server-version KB mapping for this vulnerability. Each KB is the cumulative update that contains the fix for the listed OS version. Apply the KB for the OS you are running.

| Windows Server version | Cumulative update | Microsoft Update Catalog | |---|---|---| | Windows Server 2012 R2 | KB5066873 | https://catalog.update.microsoft.com/Search.aspx?q=KB5066873 | | Windows Server 2016 | KB5066836 | https://catalog.update.microsoft.com/Search.aspx?q=KB5066836 | | Windows Server 2019 | KB5066586 | https://catalog.update.microsoft.com/Search.aspx?q=KB5066586 | | Windows Server 2022 | KB5066782 | https://catalog.update.microsoft.com/Search.aspx?q=KB5066782 | | Windows Server 2025 | KB5066835 | https://catalog.update.microsoft.com/Search.aspx?q=KB5066835 |

This per-OS KB table was added 2026-05-21 from MSRC ingestion data. Verify each KB against the live MSRC advisory for your environment.

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

Related vulnerabilities