CVE-2025-13282

High

Published: 17 November 2025

Published

17 November 2025

Modified

19 December 2025

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

EPSS Score 0.0053 67.4th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

TenderDocTransfer developed by Chunghwa Telecom has a Arbitrary File Delete vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated…

remote attackers could use these APIs through phishing. Additionally, one of the APIs contains an Absolute Path Traversal vulnerability, allowing attackers to delete arbitrary files on the user's system.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Implements input validation at API endpoints to directly block absolute path traversal, preventing arbitrary file deletion.

SC-23 Session Authenticity good match

prevent

Enforces session authenticity including CSRF protections to block phishing-induced forged requests to unprotected APIs.

AC-3 Access Enforcement partial match

prevent

Mandates enforcement of access authorizations to restrict unauthenticated file deletion operations via flawed APIs.

Security SummaryAI

CVE-2025-13282 is an Arbitrary File Delete vulnerability in TenderDocTransfer, an application developed by Chunghwa Telecom. The software establishes a simple local web server and exposes APIs for communicating with target websites. Due to missing CSRF protection (CWE-352), combined with an Absolute Path Traversal flaw (CWE-36) in one API, the application allows unauthorized file deletion. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H).

Unauthenticated remote attackers can exploit this vulnerability via phishing to invoke the unprotected APIs without valid CSRF tokens. Exploitation requires user interaction, such as visiting a malicious site or clicking a crafted link that interacts with the local server. Successful attacks enable deletion of arbitrary files on the victim's system, potentially disrupting operations or causing data loss.

TWCERT advisories provide details on the vulnerability, including mitigation recommendations, at the following URLs: https://www.twcert.org.tw/en/cp-139-10511-10f3a-2.html and https://www.twcert.org.tw/tw/cp-132-10510-3719c-1.html. Security practitioners should consult these for patching instructions and workarounds.

Details

CWE(s): CWE-36 CWE-352

Affected Products

cht

tenderdoctransfer

≤ 0.41.159

MITRE ATT&CK Enterprise TechniquesAI

T1070.004 File Deletion Stealth

Adversaries may delete files left behind by the actions of their intrusion activity.

attack.mitre.org →

T1566.002 Spearphishing Link Initial Access

Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.

attack.mitre.org →

Why these techniques?

The vulnerability enables arbitrary file deletion (T1070.004) and is explicitly exploitable via phishing with crafted links (T1566.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.twcert.org.tw/en/cp-139-10511-10f3a-2.html
Third Party Advisory · twcert@cert.org.tw
https://www.twcert.org.tw/tw/cp-132-10510-3719c-1.html
Third Party Advisory · twcert@cert.org.tw