IGEL OS 10 Flaw (CVE-2025-47827): Full Secure Boot Bypass Allows Untrusted Kernel & Rootkits, PoC Available

Researcher Zack Didcott has disclosed a critical vulnerability affecting IGEL OS 10. Tracked as CVE-2025-47827, the flaw enables a full Secure Boot bypass, allowing attackers to load arbitrary, unsigned root filesystems and even swap out the kernel entirely—without triggering security alarms.

“Improper verification of cryptographic signature in the igel-flash-driver Linux kernel module in IGEL OS 10 allows a malicious actor to bypass Secure Boot,” Didcott wrote.

At the root cause of the vulnerability is a failure to enforce cryptographic validation of SquashFS image signatures during boot. The igel-flash-driver module fails to verify the integrity of the root filesystem, opening the door for an attacker to mount a malicious SquashFS image without detection.

“Once the vulnerable kernel and embedded initramfs has loaded, a malicious root filesystem can be mounted from the unverified SquashFS image on disk,” the analysis eplained.

Even more concerning is that this bypass chains through the Microsoft 3rd Party UEFI CA, which signs the Shim bootloader. This means that any device trusting Microsoft’s default Secure Boot keys is vulnerable, including most standard PCs, laptops, and embedded devices.

Once the malicious filesystem is loaded, attackers can gain root access and execute arbitrary commands. According to the report:

“The currently booted kernel can be replaced with an entirely untrusted one… practically allowing any operating system to boot, following a complete chain of trust.”

This opens the door to a host of critical threats:

• Kernel-level rootkits with persistent control over hardware
• Full privilege escalation without detection
• Extraction of encryption keys directly from memory
• Hijacking of kernel parameters to disable security modules

“The kernel could be replaced entirely, enabling malicious code to run at the kernel-level, granting unrestricted access to all system resources,” Didcott warned.

The attacker doesn’t stop at initial compromise. Once embedded, the malware can use EFI variables to reconfigure the boot order, ensuring that the malicious kernel loads first—even after reboots or OS updates.

“Privileged malware could gain persistence… by installing the required boot files and configuring the boot order accordingly.”

To hide traces, the attacker can bind-mount /proc/cmdline to mask changes to boot parameters, and the malware can manipulate user-space tools to appear invisible to antivirus and monitoring software.

Detection is difficult, especially if the attacker deploys a perfect kernel-level rootkit. However, some methods are still viable:

• Monitor for unexpected EFI binaries
• Use tools like rkhunter to detect rootkit indicators
• Inspect kernel command-line arguments for anomalies
• Validate boot signatures using known-good SHA-256 hashes

The researcher recommends adding affected kernel hashes to the DBX (revocation list) or distrusting the Microsoft 3rd Party UEFI CA entirely—a move that may break legitimate Linux distributions but significantly shrinks the attack surface.

Zack Didcott reported the vulnerability to both IGEL and Microsoft in December 2024 and March 2025, respectively. While IGEL issued a security notice, no fix is available for IGEL OS 10, which is no longer supported.

For users of IGEL OS or similar Linux-based deployments that leverage Secure Boot, review your trust configurations immediately, revoke unused CAs where possible, and consider moving toward unified kernel images signed with custom keys.

Proof-of-concept code and full mitigation guidance are available on GitHub.

Related Posts:

• Critical Privilege Escalation Flaw in IGEL OS Exposes Systems to Root Access Risks
• Major npm flaw crashes Linux Systems, force users to reinstall
• Driver Signature Enforcement Cracked: OS Downgrade Attacks Possible on Windows