CVE-2025-29906: Finit’s Bundled Getty Flaw Allows Authentication Bypass on Linux Systems

A serious security vulnerability has been discovered in Finit, a lightweight and fast init system for Linux, originally reverse-engineered from the EeePC fastinit by Claudio Matsuoka. Tracked as CVE-2025-29906, this flaw carries a CVSS score of 8.6 and exposes affected systems to an authentication bypass risk.

Finit is often used as a minimalist alternative to SysV init and systemd, ideal for embedded devices and lean Linux distributions. It supports runlevels, on-demand service startup, and process monitoring, making it especially attractive for resource-constrained environments.

The core of the issue lies in how Finit’s built-in getty handles the tty configuration directive. In affected versions, starting from v3.0-rc1 and later, this bundled getty can be tricked into bypassing the standard /bin/login authentication process.

“A user can log in as any user without authentication,” the advisory warns.

The vulnerability is triggered when Finit is configured to use the internal getty for certain terminals, as shown in this example configuration:

/etc/finit.d/available/getty.conf:
tty [12345789] @console 0 xterm noclear

This misconfiguration allows a terminal session to bypass the login process entirely, granting the user immediate shell access as any local user — potentially including root if enabled.

The local nature of the exploit limits remote abuse but poses a serious threat in multi-user environments, development boards, or any system exposed to physical access or serial terminal connections.

Because Finit is often deployed in embedded systems, the risk is particularly acute where physical security cannot be guaranteed, such as kiosks, IoT gateways, or development platforms.

The Finit development team has addressed this vulnerability in version 4.11. It is strongly recommended that all users of Finit versions v3.0-rc1 and later upgrade to v4.11 immediately. This update contains the necessary patches to secure the getty implementation and prevent unauthorized logins.

For users who cannot immediately upgrade to v4.11, a viable workaround exists: using an external getty implementation, such as agetty commonly found in most Linux distributions.

To implement this workaround, you would modify your Finit tty configuration files to explicitly call the external getty binary. For example:

tty [12345] /sbin/agetty /dev/ttyAMA0 xterm noclear

By specifying the full path to an external getty, you bypass the vulnerable bundled version.

Related Posts:

• Phishing Campaign Bypasses MFA to Target Meta Business Accounts, Putting Millions at Risk
• LockBit Ransomware: The Hidden Threat in Resume Word Files
• Nvidia’s internal systems were attacked by hackers