CVE-2025-13282
📋 TL;DR
TenderDocTransfer software from Chunghwa Telecom has two critical vulnerabilities: lack of CSRF protection allows unauthenticated remote attackers to trigger API calls via phishing, and an absolute path traversal flaw in one API enables arbitrary file deletion on the user's system. This affects users running the vulnerable TenderDocTransfer application. Attackers can delete critical system files without authentication.
💻 Affected Systems
- TenderDocTransfer
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers delete critical system files (e.g., boot files, system DLLs) causing complete system failure, data loss, or ransomware deployment by deleting backup files.
Likely Case
Attackers delete user documents, configuration files, or application data through phishing campaigns, disrupting business operations.
If Mitigated
With proper network segmentation and CSRF protections, impact is limited to isolated systems with minimal data loss.
🎯 Exploit Status
Exploitation requires phishing but no authentication; path traversal is straightforward once CSRF is triggered.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown specific version - check vendor advisory
Vendor Advisory: https://www.twcert.org.tw/en/cp-139-10511-10f3a-2.html
Restart Required: Yes
Instructions:
1. Contact Chunghwa Telecom for patched version. 2. Download and install update. 3. Restart system. 4. Verify local web server is updated.
🔧 Temporary Workarounds
Disable TenderDocTransfer Service
windowsStop and disable the local web server service to prevent API access
sc stop TenderDocTransfer
sc config TenderDocTransfer start= disabled
Block Local Web Server Port
windowsUse firewall to block inbound connections to the application's local port
netsh advfirewall firewall add rule name="Block TenderDocTransfer" dir=in action=block protocol=TCP localport=[PORT_NUMBER]
🧯 If You Can't Patch
- Uninstall TenderDocTransfer completely if not required
- Implement strict network segmentation to isolate affected systems
🔍 How to Verify
Check if Vulnerable:
Check if TenderDocTransfer is running (Task Manager/services.msc) and version from vendorCheck Version:
Check application properties or vendor documentation for versionVerify Fix Applied:
Verify updated version from vendor and test that APIs reject unauthenticated/CSRF requests📡 Detection & Monitoring
Log Indicators:
- Unusual file deletion events in system logs
- HTTP requests to local TenderDocTransfer API endpoints
Network Indicators:
- Outbound connections from phishing emails triggering local API calls
- HTTP POST requests to localhost with file deletion parameters
SIEM Query:
source="*TenderDocTransfer*" AND (action="delete" OR method="POST")