ISN 2025-22: Statement on CVE-2025-47827 in IGEL OS 10
First published 2 June 2025
Summary
The researcher Zack Didcott has found an issue in IGEL OS version 10, which is no longer maintained. The current versions OS 11 and OS 12 are not affected.
Details
Generally, IGEL only issues IGEL Security Notices (ISN) for product versions that are in active maintenance. However, this ISN is about IGEL OS 10, a version that is no longer maintained with security fixes and should not be used in productive environments. IGEL publishes this as a reaction to the publication of CVE-2025-47827, only for clarification and for the sake of completeness.
Zack Didcott describes an issue in the integrity of the boot chain in OS 10. It uses UEFI Secure Boot, but the Linux kernel does not verify the cryptographic signature of the system partition. This can enable an attacker to boot a different system partition.
IGEL wants to emphasize that while Secure Boot is a part of the core security principles in IGEL OS, booted kernels, and hence system images, need to undergo frequent patching of vulnerabilities. Unmaintained kernels and systems such as OS 10 pose a general security risk to the user, not only in terms of the Secure Boot chain.
For clarity: This does not affect IGEL OS 11 and OS 12, who do check the signatures of all partitions.
Update Instructions
Update systems to actively maintained products.
There is no need for any action for users of the current versions IGEL OS 11 and OS 12.
References
CVE-2025-47827