CVE-2025-13282 affects TenderDocTransfer, a software product by Chunghwa Telecom that operates a local web server to facilitate communication with target websites via exposed APIs. The vulnerability arises from two main issues: a lack of Cross-Site Request Forgery (CSRF) protections on these APIs and an Absolute Path Traversal flaw within one API that permits arbitrary file deletion on the user's local system. The absence of CSRF tokens or similar safeguards means that attackers can craft malicious web pages or emails that, when visited or opened by a user running TenderDocTransfer, trigger unauthorized API calls without the user's explicit consent. The Absolute Path Traversal vulnerability (CWE-36) allows attackers to specify arbitrary file paths, enabling deletion of critical files, potentially leading to data loss or system instability. The CVSS 4.0 vector indicates the attack is network-based (AV:N), requires low attack complexity (AC:L), no privileges (PR:N), but does require user interaction (UI:A). The impact on confidentiality is none, but integrity and availability impacts are high due to arbitrary file deletion. No authentication is required, increasing the attack surface. Although no public exploits are reported yet, the combination of CSRF and path traversal in a local server context makes this a significant threat, especially if users are targeted via phishing campaigns. The affected version is listed as '0', which likely indicates an initial or early release version of the software. No patches have been published at the time of disclosure, emphasizing the need for immediate defensive measures.

For European organizations, this vulnerability could lead to unauthorized deletion of critical files on systems running TenderDocTransfer, resulting in data loss, service disruption, and potential operational downtime. Since the attack vector involves phishing combined with local API exploitation, employees could be tricked into triggering destructive actions without realizing it. This could affect document workflows, especially if TenderDocTransfer is used for sensitive tender or contract management processes. The integrity and availability of data are at high risk, which could impact compliance with data protection regulations such as GDPR if data loss or service interruptions occur. Additionally, the lack of confidentiality impact means data exfiltration is not a direct concern, but the destruction of files could indirectly cause reputational damage and financial losses. The threat is heightened in environments where users have elevated privileges or where backup and recovery processes are insufficient. European organizations with remote or hybrid workforces may be more vulnerable due to increased phishing risks and less controlled endpoint environments.

1. Immediately restrict or disable the TenderDocTransfer application on endpoints until a vendor patch is available. 2. Implement network-level controls to block access to the local web server ports used by TenderDocTransfer, preventing remote exploitation of the APIs. 3. Educate users about phishing risks, emphasizing the dangers of interacting with unsolicited links or emails while running TenderDocTransfer. 4. Employ endpoint detection and response (EDR) solutions to monitor and alert on suspicious file deletion activities or unauthorized API calls. 5. If possible, configure application-level firewall or local host-based controls to limit API access to trusted sources only. 6. Regularly back up critical files and verify backup integrity to enable recovery from arbitrary file deletion attacks. 7. Monitor vendor communications closely for patches or updates addressing the vulnerability and apply them promptly. 8. Conduct internal audits to identify all systems running TenderDocTransfer and assess exposure. 9. Consider deploying web browser security features or extensions that block CSRF attacks or malicious scripts. 10. Collaborate with IT security teams to implement phishing-resistant authentication and email filtering to reduce the likelihood of successful phishing campaigns.