CVE-2025-13455 in ThinkPlus FU100
Summary
by MITRE • 01/15/2026
A vulnerability was reported in ThinkPlus configuration software that could allow a local authenticated user to bypass ThinkPlus device authentication and enroll an untrusted fingerprint.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 01/15/2026
This vulnerability exists within the ThinkPlus configuration software developed by lenovo for managing thinkpad devices and their biometric authentication systems. The flaw represents a critical authentication bypass issue that undermines the security posture of devices relying on fingerprint enrollment and verification mechanisms. The vulnerability specifically affects the authentication flow within the configuration software that manages device-level biometric enrollment processes.
The technical implementation of this vulnerability stems from insufficient validation of device authentication status during fingerprint enrollment operations. A local authenticated user with access to the ThinkPlus software can manipulate the enrollment process to bypass the normal device authentication requirements. This occurs due to inadequate input validation and authentication state checking within the software's enrollment routines. The flaw allows an attacker to enroll fingerprints without proper device verification, effectively creating a backdoor for unauthorized biometric access.
The operational impact of this vulnerability extends beyond simple privilege escalation as it fundamentally compromises the integrity of the device's biometric security framework. An attacker who gains local access to a device running ThinkPlus software can enroll unauthorized fingerprints and subsequently gain access to systems protected by fingerprint authentication. This vulnerability creates a persistent access vector that can be exploited across multiple sessions and potentially across different devices managed by the same configuration software. The implications are particularly severe in enterprise environments where device security is paramount.
Mitigation strategies for this vulnerability should focus on immediate software updates from lenovo that address the authentication bypass mechanism and strengthen input validation within the enrollment process. Organizations should implement strict access controls limiting local administrative privileges and monitor for unauthorized enrollment activities. The vulnerability aligns with CWE-287 which addresses improper authentication issues and could be categorized under ATT&CK technique T1548.001 for abuse of privileges. System administrators should also consider implementing additional security controls such as device attestation and monitoring for suspicious enrollment patterns. Regular security assessments of device management software and biometric systems should be conducted to identify similar authentication bypass vulnerabilities in other enterprise systems.