YubiKey NEO OpenPGP Security Bug

David Maples

David Maples

2 minute read

Yubico recently learned of a security issue with the OpenPGP Card applet project that is used in the YubiKey NEO. If you are not using OpenPGP, or have the OpenPGP applet version 1.0.10 or later, this vulnerability does not apply to you.

The OpenPGP Card applet defect was inherited from the open-source software project “javacardopenpgp.” The technical details are available in a security advisory posted on our website. This issue only affects the OpenPGP applet and does not impact the security of the YubiKey or its other functions.

While we continue to believe that the practical impact for the majority of users is not critical, Yubico aspires to exceed expectations related to security incident handling. Therefore, we have developed a policy on replacing affected YubiKey NEOs.

Note that moving usage of an OpenPGP key to a new YubiKey NEO requires that you have saved a backup copy of the private key on the card as there is no way to retrieve the private key from any YubiKey, including the YubiKey NEO. If you did not save a backup copy of the private key when you initially generated the key, you will need to revoke the existing key and create a new key. Therefore, we urge you to consider whether you are truly affected by the security issue before proceeding.

If you are using the YubiKey NEO with the OpenPGP Card applet and want to replace your YubiKey, go to yubi.co/support to log a support ticket. Include the output from ‘gpg –card-status’ on your YubiKey NEO (masking out personal information) together with your order number in the ticket you submit. We will give you a coupon code so you can order a replacement YubiKey NEO.

,
Talk to our teamTalk to our team

Share this article:
  • Navigating the PCI DSS 4.0 transition and meeting compliance with phishing-resistant YubiKeysIn just a few days, on March 31, 2025, decision makers in industries that involve payment processing – including financial services, retail & hospitality and telecommunications – are tasked to finalize the transition to Payment Card Industry Data Security Standard (PCI DSS) 4.0. This deadline marks a critical juncture for all organizations handling payment card […]Read moreNISTPCI DSSPCI DSS 4.0
  • Building cyber resilience with Yubico and MicrosoftIn today’s digital landscape, cyber threats are evolving at an unprecedented pace: every second, a phishing attack takes place. In fact, over 80% of these attacks are the result of stolen login credentials and almost 70% of phishing attacks relied on AI last year alone. Recent data from Microsoft Entra also reveals a staggering increase […]Read moreMFA mandatesMicrosoft
  • Yubico’s commitment to innovation: Phishing-resistance as a cornerstone for cyber resilienceAs phishing attacks have reached an unprecedented level of frequency and sophistication, enterprises must prioritize authentication that is phishing-resistant – regardless of the business scenario, platform or device users are working with. This is why Yubico prioritizes consistent product innovations that deliver on our customer’s needs for modern, phishing-resistant authentication solutions that enable businesses to […]Read more
  • CEO Corner: Wrapping up a strong year, and looking ahead to 2025 and beyondIt’s no secret that 2024 was a big year of growth for Yubico, highlighted across many notable achievements by our team and increasing demand from our customers. As discussed in my previous post, following a transformative year driven by key cybersecurity trends like passkeys and AI, the year culminated in the significant step of Yubico […]Read moreCEOEarningsMattias Danielsson