CVE-2025-13709 – This vulnerability in Tencent TFace's restore

📋 TL;DR

This vulnerability in Tencent TFace's restore_checkpoint function allows remote attackers to execute arbitrary code as root when users interact with malicious content. The flaw stems from improper deserialization of untrusted data, enabling remote code execution. Organizations using vulnerable TFace installations are affected.

💻 Affected Systems

Products:

Tencent TFace

Versions: Versions prior to commit 7b2eed297d43dcdd1e3d45bfdfc950478e3af5d9

Operating Systems: All platforms running TFace

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the restore_checkpoint function when processing untrusted data

📦 What is this software?

Tface by Tencent

View all CVEs affecting Tface →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root privileges, data exfiltration, and persistent backdoor installation

🟠

Likely Case

Attacker gains root access on affected systems, potentially leading to data theft and lateral movement

🟢

If Mitigated

Limited impact with proper network segmentation and user privilege restrictions

🌐 Internet-Facing: MEDIUM - Requires user interaction with malicious content but can lead to full compromise

🏢 Internal Only: MEDIUM - Internal users could be tricked into triggering the exploit

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires user interaction (visiting malicious page or opening malicious file) but leads to root code execution

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit 7b2eed297d43dcdd1e3d45bfdfc950478e3af5d9

Vendor Advisory: https://github.com/Tencent/TFace/commit/7b2eed297d43dcdd1e3d45bfdfc950478e3af5d9

Restart Required: Yes

Instructions:

1. Update TFace to version containing commit 7b2eed297d43dcdd1e3d45bfdfc950478e3af5d9
2. Restart TFace services
3. Verify the fix by checking the commit hash

🔧 Temporary Workarounds

Input Validation Enhancement

all

Implement strict input validation for restore_checkpoint function parameters

# Review and modify restore_checkpoint to validate all input parameters
# Add serialization validation before processing

Network Segmentation

all

Isolate TFace systems from untrusted networks and implement strict egress filtering

# Configure firewall rules to restrict TFace network access
# Implement network segmentation for TFace components

🧯 If You Can't Patch

Implement strict user privilege restrictions - run TFace with minimal necessary permissions
Deploy application control solutions to prevent execution of unauthorized code

🔍 How to Verify

Check if Vulnerable:

Check TFace version against commit 7b2eed297d43dcdd1e3d45bfdfc950478e3af5d9 - if earlier, vulnerable

Check Version:

git log --oneline | grep -i "7b2eed297d43dcdd1e3d45bfdfc950478e3af5d9"

Verify Fix Applied:

Verify current TFace installation includes commit 7b2eed297d43dcdd1e3d45bfdfc950478e3af5d9

📡 Detection & Monitoring

Log Indicators:

Unusual deserialization errors
Suspicious restore_checkpoint function calls
Unexpected process execution as root

Network Indicators:

Unexpected outbound connections from TFace processes
Malformed serialization data to TFace endpoints

SIEM Query:

process_name="TFace" AND (event_type="deserialization_error" OR user="root")

📊 Metadata

CVE ID: CVE-2025-13709

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-502

EPSS Score: 0.36% exploit probability (57.8th percentile)

Published: December 23, 2025

Last Updated: January 12, 2026

🔗 References

https://github.com/Tencent/TFace/commit/7b2eed297d43dcdd1e3d45bfdfc950478e3af5d9 Patch
https://www.zerodayinitiative.com/advisories/ZDI-25-1036/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13709, you might also want to check these: