CVE-2025-13455

High

Published: 14 January 2026

Published

14 January 2026

Modified

23 February 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0002 6.7th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-13455 is a high-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Lenovo Thinkplus Fu100 Firmware. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Account Manipulation (T1098); ranked at the 6.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-3 (Device Identification and Authentication) and IA-5 (Authenticator Management).

Threat & Defense at a Glance

What attackers do: exploitation maps to Account Manipulation (T1098) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-3 Device Identification and Authentication good match

prevent

Requires robust device identification and authentication before allowing configuration software to perform actions like fingerprint enrollment, directly countering the authentication bypass vulnerability.

IA-5 Authenticator Management good match

prevent

Mandates management and verification of authenticators such as fingerprints to ensure only trusted ones are enrolled, preventing unauthorized enrollment via the vulnerable configuration software.

AC-6 Least Privilege partial match

prevent

Enforces least privilege for local authenticated users, limiting low-privilege accounts from exploiting the vulnerability to bypass device authentication and perform enrollment.

MITRE ATT&CK Enterprise TechniquesAI

T1098 Account Manipulation Persistence

Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.

attack.mitre.org →

T1556 Modify Authentication Process Defense Impairment

Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts.

attack.mitre.org →

Why these techniques?

Vulnerability enables local auth bypass to enroll unauthorized biometric credential, directly facilitating account manipulation and modification of authentication processes for persistent device access.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

A vulnerability was reported in ThinkPlus configuration software that could allow a local authenticated user to bypass ThinkPlus device authentication and enroll an untrusted fingerprint.

Deeper analysisAI

CVE-2025-13455 is a vulnerability in the ThinkPlus configuration software that enables a local authenticated user to bypass ThinkPlus device authentication and enroll an untrusted fingerprint. This issue, associated with CWE-290 (Authentication Bypass), carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability. The vulnerability was published on 2026-01-14.

A local authenticated user with low privileges can exploit this flaw by leveraging the ThinkPlus configuration software to circumvent device authentication mechanisms. Successful exploitation allows the attacker to enroll an untrusted fingerprint, potentially granting unauthorized persistent access to the affected ThinkPlus device or enabling further compromise of its security controls.

For mitigation details, refer to the Lenovo advisory at https://iknow.lenovo.com.cn/detail/436983.