CVE-2025-13282
Published: 17 November 2025
Summary
CVE-2025-13282 is a high-severity Absolute Path Traversal (CWE-36) vulnerability in Cht Tenderdoctransfer. Its CVSS base score is 7.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique File Deletion (T1070.004); ranked in the top 32.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-13282 is an Arbitrary File Delete vulnerability in TenderDocTransfer, an application developed by Chunghwa Telecom. The software establishes a simple local web server and exposes APIs for communicating with target websites. Due to missing CSRF protection (CWE-352), combined with an Absolute Path Traversal flaw (CWE-36) in one API, the application allows unauthorized file deletion. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H).
Unauthenticated remote attackers can exploit this vulnerability via phishing to invoke the unprotected APIs without valid CSRF tokens. Exploitation requires user interaction, such as visiting a malicious site or clicking a crafted link that interacts with the local server. Successful attacks enable deletion of arbitrary files on the victim's system, potentially disrupting operations or causing data loss.
TWCERT advisories provide details on the vulnerability, including mitigation recommendations, at the following URLs: https://www.twcert.org.tw/en/cp-139-10511-10f3a-2.html and https://www.twcert.org.tw/tw/cp-132-10510-3719c-1.html. Security practitioners should consult these for patching instructions and workarounds.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-197760
Vulnerability details
TenderDocTransfer developed by Chunghwa Telecom has a Arbitrary File Delete vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated…
more
remote attackers could use these APIs through phishing. Additionally, one of the APIs contains an Absolute Path Traversal vulnerability, allowing attackers to delete arbitrary files on the user's system.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables arbitrary file deletion (T1070.004) and is explicitly exploitable via phishing with crafted links (T1566.002).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Implements input validation at API endpoints to directly block absolute path traversal, preventing arbitrary file deletion.
Enforces session authenticity including CSRF protections to block phishing-induced forged requests to unprotected APIs.
Mandates enforcement of access authorizations to restrict unauthenticated file deletion operations via flawed APIs.