CVE-2025-25201

Name of the Vulnerable Software and Affected Versions: Nitrokey 3 Firmware versions 1.8.0 and prior test releases with PIV enabled

Description: The PIV application in the Nitrokey 3 Firmware could accept invalid keys for authentication of the admin key, potentially compromising the integrity of the data stored in the application. An attacker without access to the proper administration key could generate new keys and overwrite certificates, but would not be able to read or extract existing private data, nor gain access to cryptographic operations that require PIN-based authentication.

Recommendations: For Nitrokey 3 Firmware version 1.8.0 and prior test releases with PIV enabled, update to firmware version 1.8.1 to resolve the issue. As a temporary workaround, consider restricting access to the PIV application until the update is applied.