Description
Nitrokey 3 Firmware is the the firmware of Nitrokey 3 USB keys. For release 1.8.0, and test releases with PIV enabled prior to 1.8.0, the PIV application could accept invalid keys for authentication of the admin key. This could lead to compromise of the integrity of the data stored in the application. An attacker without access to the proper administration key would be able to generate new keys and overwrite certificates. Such an attacker would not be able to read-out or extract existing private data, nor would they be able to gain access to cryptographic operations that would normally require PIN-based authentication. The issue is fixed in piv-authenticator 0.3.9, and in Nitrokey's firmware 1.8.1.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/Nitrokey/nitrokey-3-firmware/security/advisories/GHSA-jfhm-ppq8-7hgx
Release Notes x_refsource_misc
https://github.com/Nitrokey/nitrokey-3-firmware/releases/tag/v1.8.1
Various Sources x_refsource_misc
https://www.nitrokey.com/blog/2025/nitrokey-3-firmware-v181-security-update
Scores
CVSS v3
4.0
EPSS
0.0013
EPSS Percentile
3.1%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-287
Status
published
Products (1)
Nitrokey/nitrokey-3-firmware
= 1.8.0
Published
Feb 12, 2025
Tracked Since
Feb 18, 2026