CVE-2025-13711
📋 TL;DR
This vulnerability in Tencent TFace allows remote attackers to execute arbitrary code with root privileges by exploiting insecure deserialization in the eval endpoint. Attackers can trigger this by tricking users into visiting malicious pages or opening malicious files. Systems running vulnerable versions of Tencent TFace are affected.
💻 Affected Systems
- Tencent TFace
📦 What is this software?
Tface by Tencent
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with root-level code execution, allowing complete control over the affected system, data theft, and lateral movement.
Likely Case
Remote code execution leading to data exfiltration, installation of backdoors, or ransomware deployment.
If Mitigated
Limited impact with proper network segmentation, application firewalls, and user education preventing malicious page/file access.
🎯 Exploit Status
ZDI-CAN-27187 reference suggests proof-of-concept exists in controlled disclosure. User interaction required but no authentication needed for the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit 7b2eed297d43dcdd1e3d45bfdfc950478e3af5d9 or later
Vendor Advisory: https://github.com/Tencent/TFace/commit/7b2eed297d43dcdd1e3d45bfdfc950478e3af5d9
Restart Required: Yes
Instructions:
1. Pull latest TFace code from GitHub. 2. Apply commit 7b2eed297d43dcdd1e3d45bfdfc950478e3af5d9. 3. Rebuild and redeploy TFace. 4. Restart all TFace services.
🔧 Temporary Workarounds
Disable eval endpoint
allRemove or disable access to the vulnerable eval endpoint if not required.
# Configuration dependent - modify TFace config to disable eval functionality
Network segmentation
linuxRestrict network access to TFace services to trusted sources only.
iptables -A INPUT -p tcp --dport [TFACE_PORT] -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [TFACE_PORT] -j DROP
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all eval endpoint inputs.
- Deploy web application firewall (WAF) with deserialization attack rules.
🔍 How to Verify
Check if Vulnerable:
Check TFace version/commit hash against vulnerable versions. Review if eval endpoint accepts serialized data without validation.Check Version:
git log --oneline -1 # In TFace repository directoryVerify Fix Applied:
Confirm commit 7b2eed297d43dcdd1e3d45bfdfc950478e3af5d9 is applied. Test eval endpoint with malicious payloads to ensure rejection.📡 Detection & Monitoring
Log Indicators:
- Unusual eval endpoint requests with serialized data patterns
- Error logs indicating deserialization failures or unexpected code execution
Network Indicators:
- HTTP requests to TFace eval endpoint with unusual payloads
- Outbound connections from TFace to unknown IPs post-exploit
SIEM Query:
source="tface.logs" AND (uri="/eval" OR method="POST" AND contains(payload, "serialized"))