Local Privilege Escalation in Yubico PAM Implementation on macOS and Linux
CVE-2025-23013

7.3HIGH

Key Information:

Vendor: Yubico
Status: Pam-u2f
Vendor: CVE Published:; 15 January 2025

Badges

📰 News Worthy

What is CVE-2025-23013?

In certain configurations of Yubico's pam-u2f software prior to version 1.3.1, a local privilege escalation vulnerability can occur, allowing an unprivileged attacker to bypass authentication measures. This vulnerability specifically affects systems where pam-u2f is used to authenticate users with a YubiKey or FIDO compliant devices. To exploit this issue, an attacker may require access to the target system and potentially the user's password, depending on the setup. This could allow unauthorized users to gain higher privileges than intended, posing significant security risks.

Affected Version(s)

pam-u2f 0 < 1.3.1

News Articles

Forbes

CVE-2025-23013

Yubico Issues Security Advisory As 2FA Bypass Vulnerability Confirmed

Yubico has confirmed a partial 2FA bypass issue could impact some YubiKey customers—here’s what you need to know.

References

https://www.yubico.com/support/security-advisories/ysa-20...

CVSS V4

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

📰
First article discovered by Forbes
Jan 18, 2025
Vulnerability published
Jan 15, 2025
Vulnerability Reserved
Jan 9, 2025