The vulnerability identified as CVE-2025-67729 affects InternLM's lmdeploy toolkit, a software suite designed to compress, deploy, and serve large language models (LLMs). The core issue is an insecure deserialization flaw (CWE-502) stemming from the use of the PyTorch function torch.load() without the weights_only=true parameter when loading model checkpoint files (.bin or .pt). Normally, torch.load() can deserialize arbitrary Python objects, which, if untrusted, can lead to arbitrary code execution. By omitting weights_only=true, lmdeploy inadvertently allows execution of malicious payloads embedded within model files. An attacker can craft a malicious model checkpoint that, when loaded by a victim using a vulnerable lmdeploy version (<0.11.1), triggers execution of arbitrary code with the privileges of the user running lmdeploy. This can lead to full system compromise, data theft, or disruption of services. The vulnerability requires user interaction to load the malicious model file but does not require prior authentication, making it exploitable in scenarios where users download or receive untrusted model files. The vulnerability has a CVSS 3.1 base score of 8.8, reflecting its high impact on confidentiality, integrity, and availability, combined with low attack complexity and no privileges required. The issue was publicly disclosed on December 26, 2025, and has been patched in lmdeploy version 0.11.1. No known exploits have been reported in the wild yet, but the risk remains significant given the widespread adoption of LLM deployment tools and the critical nature of AI infrastructure.

For European organizations, the impact of this vulnerability is substantial. Organizations leveraging lmdeploy for AI model deployment, including research institutions, AI startups, and enterprises integrating LLMs into their products or services, face risks of remote code execution leading to data breaches, intellectual property theft, and operational disruption. Compromise could allow attackers to manipulate AI models, exfiltrate sensitive data, or pivot to other internal systems. Given the increasing reliance on AI technologies across sectors such as finance, healthcare, manufacturing, and government, exploitation could have cascading effects on service availability and trust. Additionally, regulatory frameworks like GDPR impose strict data protection requirements, and a breach resulting from this vulnerability could lead to significant legal and financial penalties. The need for user interaction limits automated exploitation but does not eliminate risk, especially in environments where model files are frequently shared or downloaded from external sources.

To mitigate this vulnerability, European organizations should: 1) Immediately upgrade lmdeploy to version 0.11.1 or later, where the vulnerability is patched by enforcing weights_only=true during model loading. 2) Implement strict validation and integrity checks on all model files before loading, including cryptographic signatures or hashes from trusted sources. 3) Restrict model file loading to isolated or sandboxed environments to limit potential damage from malicious payloads. 4) Educate users and developers about the risks of loading untrusted model files and enforce policies that prohibit using models from unverified sources. 5) Monitor systems running lmdeploy for unusual behavior indicative of exploitation attempts, such as unexpected process spawning or network activity. 6) Employ network segmentation and least privilege principles to reduce the attack surface and limit lateral movement if compromise occurs. 7) Maintain up-to-date backups of critical AI models and system configurations to enable recovery in case of compromise.