CVE-2025-13455 is an authentication bypass vulnerability categorized under CWE-290, discovered in the Lenovo ThinkPlus FU100 Gen 1 biometric device configuration software. The flaw allows a local authenticated user with limited privileges to circumvent the device's fingerprint authentication mechanism and enroll an untrusted fingerprint. This bypass occurs due to insufficient verification during the enrollment process, enabling attackers to add fingerprints that are not legitimately authorized. The vulnerability requires local access with some level of authentication (low privileges) but does not require user interaction beyond that. The CVSS 4.0 base score is 7.3, indicating high severity, with attack vector local (AV:L), low attack complexity (AC:L), partial attack traceability (AT:P), and low privileges required (PR:L). The impact on confidentiality, integrity, and availability is high, as unauthorized biometric enrollment can lead to unauthorized access to systems protected by the device. No patches or known exploits are currently available, but the vulnerability is published and should be addressed promptly. The ThinkPlus FU100 is used primarily in enterprise environments for biometric authentication, making this vulnerability significant for organizations relying on biometric security for access control.

For European organizations, this vulnerability poses a significant risk to the security of biometric authentication systems. Unauthorized fingerprint enrollment can allow attackers to impersonate legitimate users, potentially gaining access to sensitive systems, data, or physical locations secured by the ThinkPlus FU100 device. This could lead to data breaches, intellectual property theft, or unauthorized physical access. Sectors such as finance, government, healthcare, and critical infrastructure that rely on biometric authentication are particularly vulnerable. The local access requirement limits remote exploitation but does not eliminate risk, especially in environments with shared or insufficiently controlled local access. The lack of patches increases exposure time, and the high integrity and confidentiality impact could undermine trust in biometric security solutions across affected organizations.

To mitigate this vulnerability, organizations should immediately restrict local access to systems equipped with the ThinkPlus FU100 device, enforcing strict access controls and monitoring for unusual enrollment activities. Implement enhanced logging and alerting on biometric enrollment events to detect unauthorized fingerprint additions. Until a vendor patch is available, consider disabling fingerprint enrollment features or using alternative authentication methods where feasible. Conduct regular audits of enrolled fingerprints to identify and remove any untrusted entries. Educate users and administrators about the risk and ensure physical security of devices to prevent unauthorized local access. Once Lenovo releases a patch or update, prioritize its deployment across all affected devices. Additionally, consider network segmentation and endpoint protection measures to limit the potential impact of compromised devices.