CVE-2025-29906 HIGH

CVE-2025-29906: Finit bundled getty can bypass /bin/login

Vendor Troglobit
Product finit
Weakness CWE-287 · Improper authentication
Published April 29, 2025
Last update April 30, 2025

CVSS base score

8.6/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Finit is a fast init for Linux systems. Versions starting from 3.0-rc1 and prior to version 4.11 bundle an implementation of getty for the `tty` configuration directive that can bypass `/bin/login`, i.e., a user can log in as any user without authentication. This issue has been patched in version 4.11.

Key dates

02Disclosure timeline

April 29, 2025 CVE published
April 30, 2025 Record updated