CVE-2025-13455
Published: 14 January 2026
Summary
CVE-2025-13455 is a high-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Lenovo Thinkplus Fu100 Firmware. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Account Manipulation (T1098); ranked at the 8.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-3 (Device Identification and Authentication) and IA-5 (Authenticator Management).
Deeper analysis
CVE-2025-13455 is a vulnerability in the ThinkPlus configuration software that enables a local authenticated user to bypass ThinkPlus device authentication and enroll an untrusted fingerprint. This issue, associated with CWE-290 (Authentication Bypass), carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability. The vulnerability was published on 2026-01-14.
A local authenticated user with low privileges can exploit this flaw by leveraging the ThinkPlus configuration software to circumvent device authentication mechanisms. Successful exploitation allows the attacker to enroll an untrusted fingerprint, potentially granting unauthorized persistent access to the affected ThinkPlus device or enabling further compromise of its security controls.
For mitigation details, refer to the Lenovo advisory at https://iknow.lenovo.com.cn/detail/436983.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206287
Vulnerability details
A vulnerability was reported in ThinkPlus configuration software that could allow a local authenticated user to bypass ThinkPlus device authentication and enroll an untrusted fingerprint.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables local auth bypass to enroll unauthorized biometric credential, directly facilitating account manipulation and modification of authentication processes for persistent device access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires robust device identification and authentication before allowing configuration software to perform actions like fingerprint enrollment, directly countering the authentication bypass vulnerability.
Mandates management and verification of authenticators such as fingerprints to ensure only trusted ones are enrolled, preventing unauthorized enrollment via the vulnerable configuration software.
Enforces least privilege for local authenticated users, limiting low-privilege accounts from exploiting the vulnerability to bypass device authentication and perform enrollment.