CVE-2025-23013
Yubico pam-u2f Local Privilege Escalation Authentication Bypass
Description
In Yubico pam-u2f before 1.3.1, local privilege escalation can sometimes occur. This product implements a Pluggable Authentication Module (PAM) that can be deployed to support authentication using a YubiKey or other FIDO compliant authenticators on macOS or Linux. This software package has an issue that allows for an authentication bypass in some configurations. An attacker would require the ability to access the system as an unprivileged user. Depending on the configuration, the attacker may also need to know the user's password.
INFO
Published Date :
Jan. 15, 2025, 4:15 a.m.
Last Modified :
Jan. 16, 2025, 10:15 p.m.
Source :
[email protected]
Remotely Exploitable :
No
Impact Score :
Exploitability Score :
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2025-23013.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-23013 vulnerability anywhere in the article.
-
The Cyber Express
Yubico Warns of 2FA Security Flaw in pam-u2f for Linux and macOS Users
Yubico has released a security advisory, YSA-2025-01, which highlighted a vulnerability within the software module that supports two-factor authentication (2FA) for Linux and macOS platforms. This iss ... Read more
-
Cybersecurity News
CVE-2024-53691: PoC Exploit Released for Severe QNAP RCE Flaw
Security researcher c411e published a proof-of-concept (PoC) exploit code for a severe vulnerability in QNAP NAS devices, identified as CVE-2024-53691, with a CVSS score of 8.7. Exploitation of this f ... Read more
-
Cybersecurity News
Yubico Addresses Authentication Bypass Vulnerability CVE-2025-23013 in pam-u2f Package
Yubico, a leading provider of security keys and authentication solutions, has issued a security advisory to address an authentication bypass vulnerability, CVE-2025-23013, in their open-source pam-u2f ... Read more
The following table lists the changes that have been made to the
CVE-2025-23013 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Jan. 16, 2025
Action Type Old Value New Value Added Reference http://www.openwall.com/lists/oss-security/2025/01/16/5 -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Jan. 16, 2025
Action Type Old Value New Value Added Reference http://www.openwall.com/lists/oss-security/2025/01/16/4 -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Jan. 16, 2025
Action Type Old Value New Value Added Reference http://www.openwall.com/lists/oss-security/2025/01/16/3 -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Jan. 16, 2025
Action Type Old Value New Value Added Reference http://www.openwall.com/lists/oss-security/2025/01/16/2 -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Jan. 15, 2025
Action Type Old Value New Value Added Reference http://www.openwall.com/lists/oss-security/2025/01/15/1 -
New CVE Received by [email protected]
Jan. 15, 2025
Action Type Old Value New Value Added Description In Yubico pam-u2f before 1.3.1, local privilege escalation can sometimes occur. This product implements a Pluggable Authentication Module (PAM) that can be deployed to support authentication using a YubiKey or other FIDO compliant authenticators on macOS or Linux. This software package has an issue that allows for an authentication bypass in some configurations. An attacker would require the ability to access the system as an unprivileged user. Depending on the configuration, the attacker may also need to know the user's password. Added CVSS V4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Added CWE CWE-394 Added Reference https://www.yubico.com/support/security-advisories/ysa-2025-01/
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2025-23013 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2025-23013
weaknesses.