Cyber Resilience

CVE-2025-13455

High

Published: 14 January 2026

Published
14 January 2026
Modified
23 February 2026
KEV Added
Patch
CVSS Score v4 7.3 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0003 8.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-13455 is a high-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Lenovo Thinkplus Fu100 Firmware. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Account Manipulation (T1098); ranked at the 8.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-3 (Device Identification and Authentication) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2025-13455 is a vulnerability in the ThinkPlus configuration software that enables a local authenticated user to bypass ThinkPlus device authentication and enroll an untrusted fingerprint. This issue, associated with CWE-290 (Authentication Bypass), carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability. The vulnerability was published on 2026-01-14.

A local authenticated user with low privileges can exploit this flaw by leveraging the ThinkPlus configuration software to circumvent device authentication mechanisms. Successful exploitation allows the attacker to enroll an untrusted fingerprint, potentially granting unauthorized persistent access to the affected ThinkPlus device or enabling further compromise of its security controls.

For mitigation details, refer to the Lenovo advisory at https://iknow.lenovo.com.cn/detail/436983.

EU & UK References

Vulnerability details

A vulnerability was reported in ThinkPlus configuration software that could allow a local authenticated user to bypass ThinkPlus device authentication and enroll an untrusted fingerprint.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1098 Account Manipulation Persistence
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
T1556 Modify Authentication Process Defense Impairment
Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts.
Why these techniques?

Vulnerability enables local auth bypass to enroll unauthorized biometric credential, directly facilitating account manipulation and modification of authentication processes for persistent device access.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-1716Same vendor: Lenovo
CVE-2026-1715Same vendor: Lenovo
CVE-2024-1524Shared CWE-290
CVE-2024-55925Shared CWE-290
CVE-2024-8273Shared CWE-290
CVE-2018-25317Shared CWE-290
CVE-2026-22734Shared CWE-290
CVE-2025-71056Shared CWE-290
CVE-2026-0834Shared CWE-290
CVE-2026-33131Shared CWE-290

Affected Assets

lenovo
thinkplus fu100 firmware
all versions
lenovo
thinkplus fu200 firmware
all versions
lenovo
thinkplus tu800 firmware
all versions
lenovo
thinkplus tsd303 firmware
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires robust device identification and authentication before allowing configuration software to perform actions like fingerprint enrollment, directly countering the authentication bypass vulnerability.

prevent

Mandates management and verification of authenticators such as fingerprints to ensure only trusted ones are enrolled, preventing unauthorized enrollment via the vulnerable configuration software.

prevent

Enforces least privilege for local authenticated users, limiting low-privilege accounts from exploiting the vulnerability to bypass device authentication and perform enrollment.

References