CVE-2025-29906
📋 TL;DR
CVE-2025-29906 is an authentication bypass vulnerability in Finit's getty implementation that allows unauthenticated users to log in as any user without providing credentials. This affects Linux systems running Finit versions 3.0-rc1 through 4.10. The vulnerability is particularly dangerous for systems with physical or serial console access.
💻 Affected Systems
- Finit
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker with physical or serial console access gains root privileges, leading to complete system compromise, data theft, and persistent backdoor installation.
Likely Case
Local attackers or users with console access bypass authentication to gain unauthorized user privileges, potentially escalating to root.
If Mitigated
Systems without console access or with physical security controls limit exploitation to authorized personnel only.
🎯 Exploit Status
Exploitation requires console access (physical or serial). The vulnerability is in the authentication bypass mechanism itself.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.11
Vendor Advisory: https://github.com/troglobit/finit/security/advisories/GHSA-563g-p98j-mc9q
Restart Required: Yes
Instructions:
1. Update Finit to version 4.11 or later. 2. For package managers: Use your distribution's update mechanism. 3. For source installations: Download latest release from GitHub and recompile. 4. Restart the system to load the patched version.
🔧 Temporary Workarounds
Disable vulnerable getty implementation
linuxReplace Finit's bundled getty with an external implementation like agetty or mingetty
Modify Finit configuration to use external getty
Example: tty [123456] /sbin/agetty -8 38400 %l
Restrict console access
linuxImplement physical security controls and restrict serial console access
Configure BIOS/UEFI to require password for console access
Disable serial console in kernel parameters if not needed
🧯 If You Can't Patch
- Implement strict physical security controls around console access
- Monitor console login attempts and audit user sessions regularly
🔍 How to Verify
Check if Vulnerable:
Check Finit version: finit --version or examine installed package version. If version is between 3.0-rc1 and 4.10 inclusive, system is vulnerable.Check Version:
finit --version || dpkg -l | grep finit || rpm -qa | grep finitVerify Fix Applied:
After patching, verify version is 4.11 or later: finit --version📡 Detection & Monitoring
Log Indicators:
- Unexpected console logins without authentication
- User logins from unexpected console devices
- Multiple failed login attempts followed by successful login without password
Network Indicators:
- N/A - This is a local console vulnerability
SIEM Query:
source="console" AND event="login" AND NOT auth_method="password"