CVE-2023-50430
MEDIUMGoodix Fingerprint Sensor Firmware - Unauthenticated Authentication Bypass via Windows Hello Template Database Selection
Title source: llmDescription
The Goodix Fingerprint Device, as shipped in Dell Inspiron 15 computers, does not follow the Secure Device Connection Protocol (SDCP) when enrolling via Linux, and accepts an unauthenticated configuration packet to select the Windows template database, which allows bypass of Windows Hello authentication by enrolling an attacker's fingerprint.
References (1)
Core 1
Core References
Exploit, Technical Description, Third Party Advisory
https://blackwinghq.com/blog/posts/a-touch-of-pwn-part-i/
Scores
CVSS v3
6.4
EPSS
0.0041
EPSS Percentile
32.7%
Attack Vector
PHYSICAL
CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-287
Status
published
Products (1)
goodix/fingerprint_sensor_firmware
Published
Dec 09, 2023
Tracked Since
Feb 18, 2026