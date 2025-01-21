Major hardware authentication security key provider Yubico has warned of a high-severity security issue impacting its pam-u2f software package for Yubikey and FIDO-compliant device integration, tracked as CVE-2025-23013, which could be exploited to facilitate partial evasion of two-factor authentication defenses in macOS and Linux devices, The Cyber Express reports.

Such a vulnerability — which stems from inadequate authentication flow management within the pam_sm_authenticate() function — is slightly more severe in configurations involving single-factor authentication with user-managed AuthFile, as well as the utilization of pam-u2f for single-factor authentication with other Pluggable Authentication Modules, compared with scenarios involving 2FA with a centrally managed AuthFile, according to Yubico. Organizations running pam-u2f prior to 1.3.1, especially those that used apt or manual means for pam-u2f installation in macOS and Linux systems, have been urged to immediately download the latest version of the software module to avoid potential compromise.