Initialization system finit has uncovered a vulnerability (cve-2025-29906) that allows unauthorized access to the system without password verification. This vulnerability, present in versions starting from 3.0 (October 2017), requires access to the console and manipulation of the login prompt. The issue was resolved in the release of finit 4.11. Additionally, the subsequent release of 4.12 addressed a buffer problem in the URANDOM plugin.
This vulnerability affected the implementation of the Getty program responsible for user authentication on the terminal. By not properly separating arguments for the /bin/login process, it was possible to bypass password authentication by using certain options in the username field. The solution involved adding a “-” before the username to prevent this exploit.
To mitigate this vulnerability, it is advised to use an external implementation of the Getty process like agetty. Packages in distributions such as Debian 12, ubuntu, Parrot, Raspbian, and Trisquel with Finit are yet to receive the necessary corrections.
Finit (Fast Init), the simple alternative to SYSV Init and Systemd, has gained popularity in embedded systems. It is based on technology used in EEEPC Linux for rapid system booting. Finit supports SYSV Init levels, automatic service restart upon failure, disposable handlers, service launching with dependencies and conditions, pre and post-service launch processors, plugin support, and CGROUPS V