Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-12642

CVE-2024-12642: Cht Tenderdoctransfer Path Traversal Flaw

CVE-2024-12642 is a path traversal vulnerability in Chunghwa Telecom TenderDocTransfer allowing arbitrary file writes. Attackers can exploit weak APIs to write files anywhere on systems. This article covers impact, versions, and fixes.

Published:

CVE-2024-12642 Overview

CVE-2024-12642 is an arbitrary file write vulnerability in TenderDocTransfer, a desktop client distributed by Chunghwa Telecom. The application launches a local web server and exposes APIs that mediate communication with a target website. The exposed APIs lack Cross-Site Request Forgery (CSRF) protection, so any web page a victim visits can issue requests to the local server. One API combines this gap with a relative path traversal flaw [CWE-23], allowing attackers to write attacker-controlled content to arbitrary file system paths. The issue is tracked as a network-exploitable vulnerability that requires the victim to load a malicious page.

Critical Impact

Unauthenticated attackers can write arbitrary files to any path accessible to the user, enabling code execution, persistence, and host compromise through a single phishing click.

Affected Products

  • Chunghwa Telecom TenderDocTransfer (desktop client)
  • All versions exposing the local API server prior to the vendor fix
  • Windows endpoints running the affected installer

Discovery Timeline

  • 2024-12-16 - CVE-2024-12642 published to the National Vulnerability Database (NVD)
  • 2025-12-23 - Last updated in NVD database

Technical Details for CVE-2024-12642

Vulnerability Analysis

TenderDocTransfer installs a helper service that listens on the loopback interface and exposes Hypertext Transfer Protocol (HTTP) APIs. These APIs are intended to bridge a remote tender-management website with local document handling routines. Because the endpoints do not validate the request Origin or Referer headers and do not require any anti-CSRF token, a victim browsing an attacker-controlled page can have their browser silently issue requests to http://127.0.0.1 on behalf of the attacker.

One of the exposed endpoints accepts a destination file path as input and writes caller-supplied content to disk. The path parameter is not normalized or constrained to a safe base directory. Supplying traversal sequences such as ..\..\ allows the path to escape the intended document folder and resolve to arbitrary locations on the file system. The result is a remote, unauthenticated arbitrary file write that runs with the privileges of the logged-on user.

Root Cause

The root cause is a combination of two defects. First, the local API server omits CSRF defenses, treating any loopback request as trusted. Second, the file-handling API performs relative path traversal [CWE-23] because it concatenates user input into a file path without canonicalizing the result or enforcing an allowlist of target directories.

Attack Vector

An attacker hosts or injects a malicious page and lures a TenderDocTransfer user to visit it through phishing. The page issues a cross-origin fetch or form POST to the local API endpoint with a crafted path parameter and file contents. The local server writes the file to a sensitive location such as a Windows Startup folder, a service binary path, or a script invoked by another application. On the next user logon or program execution, the planted file runs, granting the attacker code execution on the endpoint.

No synthetic exploitation code is reproduced here. Refer to the TWCERT Security Advisory for vendor-confirmed technical details.

Detection Methods for CVE-2024-12642

Indicators of Compromise

  • Unexpected file writes by the TenderDocTransfer helper process to directories outside its installation or document folders.
  • New executables, scripts, or shortcut files appearing in user Startup, AppData, or Public directories shortly after a browsing session.
  • Outbound HTTP requests from web browsers targeting 127.0.0.1 or localhost on the port used by the TenderDocTransfer local server.

Detection Strategies

  • Monitor file creation events where the parent process is the TenderDocTransfer service and the target path contains .. traversal sequences or resolves outside the application's working directory.
  • Inspect web proxy and endpoint telemetry for browser-originated POST requests to loopback addresses immediately followed by suspicious file writes.
  • Alert on TenderDocTransfer spawning child processes or modifying autorun registry keys, which is not part of normal operation.

Monitoring Recommendations

  • Enable file integrity monitoring on user-writable autorun locations and common persistence paths on hosts running TenderDocTransfer.
  • Capture process and network telemetry from the TenderDocTransfer service for retrospective hunting in your security data lake.
  • Review browser history alongside file creation timestamps to correlate phishing visits with file-write events.

How to Mitigate CVE-2024-12642

Immediate Actions Required

  • Inventory all endpoints with TenderDocTransfer installed and prioritize patching for users who handle Chunghwa Telecom tender workflows.
  • Apply the vendor-supplied update referenced in the TWCERT Security Advisory as soon as it is available in your environment.
  • Restrict outbound browsing on affected hosts to trusted domains until the patch is deployed.

Patch Information

Chunghwa Telecom has issued a fixed version of TenderDocTransfer through TWCERT coordination. Administrators should consult the TWCERT Incident Report for the patched build identifier and download location, then deploy the update through standard software-management tooling.

Workarounds

  • Uninstall TenderDocTransfer on hosts that do not actively require it, eliminating the local API listener entirely.
  • Block the loopback port used by the application via a host firewall rule when the client is not in active use.
  • Deliver targeted user awareness reminders warning TenderDocTransfer users not to follow unsolicited links during tender activity.
bash
# Example Windows host firewall rule to block the local API port while not in use
# Replace <PORT> with the port observed for the TenderDocTransfer local server
netsh advfirewall firewall add rule name="Block TenderDocTransfer Local API" \
    dir=in action=block protocol=TCP localport=<PORT> interfacetype=loopback

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne