CVE-2025-13715
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code as root on systems running Tencent FaceDetection-DSFD with the resnet endpoint. Attackers can exploit it by tricking users into visiting malicious web pages or opening malicious files. Organizations using this facial detection software are affected.
💻 Affected Systems
- Tencent FaceDetection-DSFD
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with root privileges, allowing complete control over affected systems, data theft, and lateral movement within networks.
Likely Case
Remote code execution leading to data exfiltration, installation of malware/ransomware, or system disruption.
If Mitigated
Limited impact with proper network segmentation, application sandboxing, and user privilege restrictions.
🎯 Exploit Status
Exploitation requires user interaction but no authentication. ZDI has confirmed the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit a941d089d8ae2df5292a904e79d88649cb58a440
Vendor Advisory: https://github.com/Tencent/FaceDetection-DSFD/commit/a941d089d8ae2df5292a904e79d88649cb58a440
Restart Required: Yes
Instructions:
1. Update to the latest version from GitHub. 2. Apply the security patch commit a941d089d8ae2df5292a904e79d88649cb58a440. 3. Restart the FaceDetection-DSFD service.
🔧 Temporary Workarounds
Disable resnet endpoint
allTemporarily disable the vulnerable resnet endpoint if not required.
# Configuration depends on deployment method
Network isolation
linuxRestrict network access to FaceDetection-DSFD to trusted sources only.
iptables -A INPUT -p tcp --dport [PORT] -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [PORT] -j DROP
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all user-supplied data to the resnet endpoint.
- Run FaceDetection-DSFD with minimal privileges (non-root user) and in a containerized/sandboxed environment.
🔍 How to Verify
Check if Vulnerable:
Check if your FaceDetection-DSFD version is older than commit a941d089d8ae2df5292a904e79d88649cb58a440.Check Version:
git log --oneline -1Verify Fix Applied:
Verify that the commit a941d089d8ae2df5292a904e79d88649cb58a440 is applied in your installation.📡 Detection & Monitoring
Log Indicators:
- Unusual process execution from FaceDetection-DSFD
- Errors or crashes in resnet endpoint logs
- Suspicious deserialization attempts
Network Indicators:
- Unexpected outbound connections from FaceDetection-DSFD servers
- Traffic spikes to resnet endpoint
SIEM Query:
source="*facedetection*" AND (event="deserialization" OR event="resnet" OR process="unusual_execution")