Nitrokey 3 Firmware v1.8.1 Security Update

The Nitrokey 3 firmware v1.8.0 was released last year including support for the PIV smartcard functionality. Today, we are publishing an update v1.8.1. If you are using PIV, we recommend you updating immediately.

CVE-2025-25201

For release 1.8.0, and test releases with PIV enabled prior to 1.8.0, the PIV functionality could accept invalid keys for authentication of the admin key.  
This could lead to compromise of the integrity of PIV data objects.  
An attacker without access to the proper administration key would be able to generate new keys and overwrite certificates.  
Such an attacker would not be able to read-out or extract existing private data, nor would they be able to gain access to cryptographic operations that would normally require PIN-based authentication.

Attacking this flaw would need physical access to the Nitrokey 3, or control over a device to which it is being connected to.  
The CVE is of rated severity moderate, as the administration key only protects "write" operations  to the  device, and all protected read operations make use of the PIN, which is not vulnerable.  
Note that even without the vulnerability, an attacker in this position is able to factory-reset the device to write it's own data, which is expected. 

This vulnerability does not affect data in other functionality of the Nitrokey 3. As such, FIDO, secrets and OpenPGP are not updated.