CVE-2025-13713 is a deserialization of untrusted data vulnerability (CWE-502) found in Tencent's Hunyuan3D-1 product, specifically within the load_pretrained function. This function improperly handles user-supplied data without adequate validation, allowing attackers to craft malicious serialized objects. When such data is deserialized, it can trigger arbitrary code execution in the context of the root user, effectively granting full control over the affected system. The attack vector requires local access or user interaction, such as opening a malicious file or visiting a specially crafted web page. The vulnerability was assigned a CVSS v3.0 score of 7.8, indicating high severity with attack vector local, low attack complexity, no privileges required, but user interaction necessary. The flaw was reported by ZDI (ZDI-CAN-27191) and published in late 2025. No public exploits have been observed yet, but the potential for remote code execution with root privileges makes this a critical risk for affected environments. The lack of patches at the time of reporting increases the urgency for mitigation.

For European organizations, this vulnerability poses a significant threat to systems running Tencent Hunyuan3D-1, particularly those involved in AI, 3D modeling, or related research and development. Successful exploitation can lead to complete system compromise, data theft, manipulation, or destruction, and disruption of critical services. The root-level code execution means attackers can bypass most security controls, implant persistent malware, or pivot within networks. Given the user interaction requirement, phishing or social engineering campaigns could be used to trigger exploitation. The impact extends to intellectual property loss, operational downtime, and potential regulatory penalties under GDPR if sensitive data is compromised. Organizations relying on this software for production or research should consider the vulnerability a high priority for remediation to avoid severe confidentiality, integrity, and availability breaches.

1. Immediately monitor for updates or patches from Tencent and apply them as soon as available. 2. Until patches are released, restrict access to the load_pretrained functionality and limit exposure of the software to untrusted users or networks. 3. Implement strict input validation and sanitization on any data processed by load_pretrained to prevent deserialization of malicious objects. 4. Educate users about the risks of opening untrusted files or visiting suspicious websites to reduce the likelihood of user interaction exploitation. 5. Employ application whitelisting and endpoint detection and response (EDR) solutions to detect and block suspicious activities related to deserialization attacks. 6. Use network segmentation to isolate systems running Hunyuan3D-1 from critical infrastructure. 7. Conduct regular security audits and penetration testing focusing on deserialization vulnerabilities and user interaction attack vectors. 8. Monitor logs for unusual deserialization or execution patterns indicative of exploitation attempts.