The attacker would need physical possession of the YubiKey, Security Key, or YubiHSM, knowledge of the accounts they want to target and specialized equipment to perform the necessary attack. Depending on the use case, the attacker may also require additional knowledge including username, PIN, account password, or authentication key.

Meh, doesn’t seem that realistic of an attack yet, but I know that could change.

This only affects devices with firmware 5.6 and below—anything before May 2024. If you buy a key now, the vulnerability will be patched.