CVE-2025-13282 identifies a critical security flaw in the TenderDocTransfer application developed by Chunghwa Telecom. This application operates a local web server that exposes APIs intended for communication with a target website. The vulnerability arises from two main issues: a lack of Cross-Site Request Forgery (CSRF) protections and an Absolute Path Traversal vulnerability within one of the APIs. The absence of CSRF tokens or equivalent protections means that attackers can craft malicious web requests that a user’s browser will execute unknowingly if the user visits a phishing page. Since the APIs are unauthenticated, these requests can invoke sensitive operations without requiring user credentials. The Absolute Path Traversal allows attackers to specify arbitrary file paths on the local system, enabling deletion of any file accessible by the application’s process. This combination means an attacker can remotely induce a victim to delete critical files on their system, potentially disrupting operations or causing data loss. The CVSS 4.0 score of 7 (high severity) reflects the network attack vector, low attack complexity, no privileges required, but requiring user interaction and resulting in high confidentiality and integrity impact. No known exploits have been reported yet, but the vulnerability’s nature makes it a significant risk, especially in environments where the application is deployed and users might be targeted via phishing campaigns.

For European organizations, the impact of this vulnerability can be substantial, particularly for those in telecommunications, government, or critical infrastructure sectors that might use TenderDocTransfer or similar local API-based tools. The arbitrary file deletion can lead to loss of critical configuration files, disruption of services, or compromise of system integrity. Confidential data could be indirectly exposed if system stability is affected or if attackers leverage the deletion to facilitate further attacks. The requirement for user interaction via phishing means social engineering campaigns could be effective, increasing the risk to organizations with less mature security awareness programs. Additionally, the lack of authentication on the APIs broadens the attack surface, making it easier for attackers to exploit the vulnerability remotely. The disruption caused by file deletion could affect business continuity and lead to regulatory compliance issues under GDPR if personal data processing is impacted.

To mitigate this vulnerability, organizations should first verify if they are using TenderDocTransfer version 0 or any affected versions and prioritize patching once available. In the absence of patches, network-level controls should be implemented to restrict access to the local web server APIs, such as firewall rules limiting localhost API access or application whitelisting. Implementing strict CSRF protections is critical; this includes adding CSRF tokens to all state-changing API requests and validating the Origin and Referer headers. Input validation and sanitization must be enforced on file path parameters to prevent path traversal, ensuring that only intended directories and files can be affected. User awareness training should be enhanced to reduce the risk of phishing attacks that could trigger exploitation. Monitoring and logging API access can help detect suspicious activity. Finally, consider isolating the application environment or running it with minimal privileges to limit the impact of any successful exploitation.