This work reveals a previously unrecognized vulnerability in image-to-video diffusion models: their implicitly learned temporal state transition mechanism is susceptible to adversarial manipulation. The study identifies this mechanism as a novel attack surface and introduces a trajectory control attack that models perturbations via a low-dimensional velocity field. Through temporal integration, this approach generates a continuous displacement field that maps perturbations into the observation space, enabling precise control over state evolution. The proposed framework is universally applicable under both white-box and black-box settings, achieving attack success rates exceeding 90% (white-box) and 80% (black-box) under strong constraints, while limiting increases in FID and FVD to below 6 and 130, respectively—thereby significantly compromising temporal consistency with minimal perceptual distortion.

Diffusion-based image-to-video (I2V) models increasingly exhibit world-model-like properties by implicitly capturing temporal dynamics. However, existing studies have mainly focused on visual quality and controllability, and the robustness of the state transition learned by the model remains understudied. To fill this gap, we are the first to analyze the vulnerability of I2V models, find that temporal control mechanisms constitute a new attack surface, and reveal the challenge of modeling them uniformly under different attack settings. Based on this, we propose a trajectory-control attack, called CtrlAttack, to interfere with state evolution during the generation process. Specifically, we represent the perturbation as a low-dimensional velocity field and construct a continuous displacement field via temporal integration, thereby affecting the model's state transitions while maintaining temporal consistency; meanwhile, we map the perturbation to the observation space, making the method applicable to both white-box and black-box attack settings. Experimental results show that even under low-dimensional and strongly regularized perturbation constraints, our method can still significantly disrupt temporal consistency by increasing the attack success rate (ASR) to over 90% in the white-box setting and over 80% in the black-box setting, while keeping the variation of the FID and FVD within 6 and 130, respectively, thus revealing the potential security risk of I2V models at the level of state dynamics.