CVE-2025-13283 affects the TenderDocTransfer application developed by Chunghwa Telecom. This application sets up a local web server on the user's machine to facilitate communication with a target website through exposed APIs. The vulnerability arises from two main issues: lack of Cross-Site Request Forgery (CSRF) protection on these APIs and an Absolute Path Traversal flaw within one of the APIs. The absence of CSRF tokens or similar protections means that attackers can craft malicious web pages or phishing emails that cause a victim's browser to send unauthorized requests to the local server without the user's explicit consent. Because the APIs do not require authentication, these requests can be executed remotely once the victim interacts with the malicious content. The Absolute Path Traversal vulnerability allows attackers to specify arbitrary file paths on the victim's system, enabling them to copy files from any location and paste them elsewhere on the disk. This can lead to sensitive information disclosure if confidential files are copied to accessible locations or cause denial of service by filling the disk with large volumes of copied data. The vulnerability requires user interaction (e.g., visiting a malicious webpage) but no prior authentication, increasing the attack surface. Although no public exploits are known, the CVSS 4.0 score of 7 indicates a high risk. The affected version is listed as '0', suggesting the initial or early release of the product. No patches have been released yet, and the vulnerability was published on November 17, 2025. The CWE identifiers CWE-352 (CSRF) and CWE-36 (Absolute Path Traversal) highlight the nature of the flaws. The threat is particularly concerning for environments where TenderDocTransfer is used in sensitive workflows or where users may be targeted by phishing campaigns.

For European organizations, this vulnerability poses significant risks primarily related to confidentiality and availability. The arbitrary file copy and paste capability can lead to unauthorized disclosure of sensitive documents if attackers copy confidential files to accessible locations or exfiltrate them via other means. Additionally, attackers could consume disk space by copying large files repeatedly, potentially causing system instability or denial of service. Since the attack vector involves phishing and requires user interaction, organizations with less mature security awareness programs are at higher risk. The lack of authentication on the APIs means that any user who visits a malicious site could inadvertently trigger the exploit. This could impact sectors handling sensitive data such as finance, healthcare, and government agencies. Furthermore, the local web server architecture may be common in other similar applications, raising concerns about analogous vulnerabilities. The absence of patches increases the window of exposure. Overall, the threat could disrupt business operations, lead to data breaches, and increase incident response costs.

European organizations should take immediate steps to mitigate this vulnerability. First, restrict or disable the TenderDocTransfer application where possible, especially on systems handling sensitive information. If the application is essential, network-level controls should be implemented to block unauthorized access to the local web server's ports, limiting API exposure to trusted processes only. Employ endpoint security solutions capable of detecting unusual file system activities indicative of exploitation attempts. User education is critical: train employees to recognize phishing attempts and avoid interacting with suspicious links or emails. Developers or vendors should be urged to release patches that implement proper CSRF protections such as anti-CSRF tokens or same-site cookies, and fix the Absolute Path Traversal by validating and sanitizing file path inputs rigorously. Until patches are available, consider application whitelisting or sandboxing to contain potential damage. Regularly audit systems for signs of exploitation, including unexpected file copies or disk space anomalies. Finally, monitor threat intelligence feeds for updates on exploit developments and patch releases.