CVE-2025-23013
HIGH EPSS 31.5%
Published Jan 15, 20251y ago · Modified Jun 17, 20262w ago
7.3 CVSS 4.0
Published Jan 15, 2025 1y ago
Last Modified Jun 17, 2026 2w ago
Description
In Yubico pam-u2f before 1.3.1, local privilege escalation can sometimes occur. This product implements a Pluggable Authentication Module (PAM) that can be deployed to support authentication using a YubiKey or other FIDO compliant authenticators on macOS or Linux. This software package has an issue that allows for an authentication bypass in some configurations. An attacker would require the ability to access the system as an unprivileged user. Depending on the configuration, the attacker may also need to know the user's password.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope X
Threat Intelligence
EPSS Exploit Probability
31.5% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available
Weaknesses 1
CWE-394
References 7
- openwall.com http://www.openwall.com/lists/oss-security/2025/01/15/1
- openwall.com http://www.openwall.com/lists/oss-security/2025/01/16/2
- openwall.com http://www.openwall.com/lists/oss-security/2025/01/16/3
- openwall.com http://www.openwall.com/lists/oss-security/2025/01/16/4
- openwall.com http://www.openwall.com/lists/oss-security/2025/01/16/5
- lists.debian.org https://lists.debian.org/debian-lts-announce/2025/02/msg00001.html
- yubico.com https://www.yubico.com/support/security-advisories/ysa-2025-01/
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.