CVE-2025-13787 is a vulnerability identified in ZenTao, an open-source project management and bug tracking software widely used in software development environments. The flaw resides in the file::delete function of the file module's control.php file handler component in versions up to 21.7.6-8564. Specifically, improper privilege management occurs due to insufficient validation or authorization checks on the fileID parameter, which controls which file is targeted for deletion. This allows an attacker with at least limited privileges to remotely manipulate the fileID argument and delete files they should not have access to. The vulnerability does not require user interaction and can be exploited remotely over the network, increasing its risk profile. The CVSS 4.0 base score is 5.3 (medium severity), reflecting the moderate impact on confidentiality, integrity, and availability, with low attack complexity and no need for authentication. The scope is limited to ZenTao installations running vulnerable versions. The issue was addressed in version 21.7.7 by implementing stricter privilege checks and validation on file deletion requests. No public exploits have been reported yet, but the vulnerability could lead to unauthorized data deletion, disrupting project management workflows and potentially causing data loss or operational downtime.

For European organizations, the vulnerability poses a risk of unauthorized file deletions within ZenTao installations, potentially leading to loss of critical project data, disruption of software development processes, and exposure of sensitive information if backup or recovery mechanisms are inadequate. This can affect confidentiality if files containing sensitive data are deleted and integrity and availability if essential project files or documentation are removed. Organizations relying heavily on ZenTao for project management or bug tracking may experience operational delays and increased recovery costs. The remote exploitability without user interaction increases the risk of automated or targeted attacks. While no known exploits exist currently, the presence of this vulnerability in production environments could be leveraged by malicious actors to disrupt business continuity or sabotage development efforts. The impact is more pronounced in sectors with stringent data integrity requirements such as finance, healthcare, and critical infrastructure within Europe.

European organizations using ZenTao should immediately upgrade all affected instances to version 21.7.7 or later to remediate the vulnerability. In addition to patching, organizations should audit user privileges within ZenTao to ensure the principle of least privilege is enforced, limiting file deletion capabilities to only trusted roles. Implement network segmentation and firewall rules to restrict access to ZenTao management interfaces to authorized personnel and trusted IP ranges. Enable and regularly test backup and recovery procedures for ZenTao data to minimize impact in case of file deletion incidents. Monitor logs for unusual file deletion requests or access patterns indicative of exploitation attempts. Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the file deletion endpoint. Finally, maintain an up-to-date inventory of ZenTao deployments and ensure timely application of security updates.