CVE-2025-13282 Overview
TenderDocTransfer, a document transfer application developed by Chunghwa Telecom, contains an Arbitrary File Delete vulnerability that allows unauthenticated remote attackers to delete arbitrary files on a user's system. The application sets up a simple local web server and provides APIs for communication with target websites. Due to the lack of Cross-Site Request Forgery (CSRF) protection in the APIs, attackers can exploit these interfaces through phishing attacks. Additionally, one of the APIs contains an Absolute Path Traversal vulnerability, enabling attackers to delete arbitrary files on the affected system.
Critical Impact
This vulnerability enables unauthenticated remote attackers to delete arbitrary files on a user's system through a combination of CSRF and Path Traversal attacks, potentially leading to data loss, system instability, or denial of service.
Affected Products
- CHT TenderDocTransfer (all versions)
Discovery Timeline
- 2025-11-17 - CVE-2025-13282 published to NVD
- 2025-12-19 - Last updated in NVD database
Technical Details for CVE-2025-13282
Vulnerability Analysis
This vulnerability represents a dangerous combination of two distinct security weaknesses: Cross-Site Request Forgery (CSRF) and Absolute Path Traversal (CWE-36). The TenderDocTransfer application creates a local web server that exposes APIs without implementing proper CSRF protections. This design flaw allows malicious websites to make requests to the local server on behalf of the user without proper validation.
The attack requires user interaction, typically achieved through phishing techniques where victims are lured to malicious web pages. Once on such a page, the attacker's JavaScript can silently make requests to the local TenderDocTransfer server API endpoints. The path traversal component allows attackers to specify absolute file paths, bypassing any intended directory restrictions.
The integrity and availability impact is significant as attackers can delete critical system files or user data, while confidentiality remains unaffected since the vulnerability only enables deletion, not data exfiltration.
Root Cause
The root cause of this vulnerability stems from two fundamental security failures in the application design. First, the application fails to implement CSRF tokens or other anti-forgery mechanisms in its API endpoints, allowing cross-origin requests to be processed without validation. Second, the file deletion API does not properly sanitize or validate file paths, accepting absolute paths that traverse outside the intended application directory. This combination of missing access controls (CWE-36 - Absolute Path Traversal) creates an exploitable attack surface.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker crafts a malicious webpage containing JavaScript that makes requests to the local TenderDocTransfer API endpoints. When a victim with TenderDocTransfer running visits this malicious page, the browser executes the JavaScript, which sends requests to localhost or 127.0.0.1 where the TenderDocTransfer server is listening.
The attacker leverages the path traversal flaw by including directory traversal sequences or absolute paths in the API parameters, targeting sensitive files for deletion. For example, the attacker might specify paths like C:\Windows\System32\ or /etc/ to target critical system files, or user directories to destroy personal data.
Detection Methods for CVE-2025-13282
Indicators of Compromise
- Unexpected file deletions across the system, particularly in directories outside the TenderDocTransfer application scope
- Unusual HTTP requests to local server ports used by TenderDocTransfer
- Browser history showing visits to unknown or suspicious websites shortly before file deletion incidents
- Audit logs showing file deletion operations with path traversal patterns (e.g., ../ sequences or absolute paths)
Detection Strategies
- Monitor local network traffic for suspicious requests to TenderDocTransfer API endpoints from external origins
- Implement file integrity monitoring (FIM) to detect unexpected deletions of critical system files
- Review web proxy logs for phishing attempts directing users to malicious sites that may exploit this vulnerability
- Deploy endpoint detection solutions that can identify suspicious file deletion patterns across multiple directories
Monitoring Recommendations
- Enable verbose logging on TenderDocTransfer if available to capture all API requests
- Configure Windows Event Logging or Linux auditd to track file deletion events system-wide
- Set up alerts for bulk file deletion operations or deletions in system-critical directories
- Monitor browser activity for redirects to suspicious domains that may host exploitation code
How to Mitigate CVE-2025-13282
Immediate Actions Required
- Contact Chunghwa Telecom for updated versions of TenderDocTransfer that address this vulnerability
- Consider temporarily disabling or uninstalling TenderDocTransfer until a patch is available
- Implement application-level firewall rules to restrict access to the local TenderDocTransfer server
- Educate users about phishing risks and avoid clicking suspicious links while TenderDocTransfer is running
Patch Information
Refer to the TWCert Security Advisory for official patch information and updated software versions from Chunghwa Telecom. Users should monitor the advisory for updates and apply patches as soon as they become available.
Workarounds
- Disable or close TenderDocTransfer when not actively in use to reduce the attack surface
- Configure browser settings to block cross-origin requests to localhost addresses where possible
- Use browser extensions that provide CSRF protection or block suspicious JavaScript execution
- Implement network segmentation or firewall rules to limit external access to local services
# Windows: Stop TenderDocTransfer service when not in use
# Open Services (services.msc) and locate TenderDocTransfer service
# Set startup type to "Manual" and stop the service when not needed
# Alternative: Block local server port via Windows Firewall (PowerShell)
# Note: Replace PORT_NUMBER with the actual port used by TenderDocTransfer
# New-NetFirewallRule -DisplayName "Block TenderDocTransfer External" -Direction Inbound -LocalPort PORT_NUMBER -Protocol TCP -Action Block -RemoteAddress Any
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
