Hardware authentication security key provider Yubico has warned of a high-severity issue impacting its pam-u2f software package for Yubikey and FIDO-compliant device integration, which could be exploited to facilitate partial evasion of two-factor authentication defenses in
macOS and Linux devices,
The Cyber Express reports.
Yubico said the vulnerability — tracked as CVE-2025-23013 -- stems from inadequate authentication flow management within the pam_sm_authenticate() function. The company said it's slightly more severe in configurations involving single-factor authentication with user-managed AuthFile, as well as the utilization of pam-u2f for single-factor authentication with other Pluggable Authentication Modules, compared with scenarios involving 2FA with a centrally-managed AuthFile.
Organizations running pam-u2f prior to 1.3.1, especially those that used apt or manual means for pam-u2f installation in macOS and Linux systems, have been urged to immediately download the latest version of the software module to avoid potential compromise.
Get essential knowledge and practical strategies to fortify your identity security.