CVE-2025-13283 affects the TenderDocTransfer application developed by Chunghwa Telecom, which operates a local web server to facilitate communication with target websites via exposed APIs. The core issue stems from the absence of Cross-Site Request Forgery (CSRF) protections on these APIs, enabling unauthenticated remote attackers to coerce victims into executing unintended actions through crafted phishing attacks. One critical API endpoint suffers from an Absolute Path Traversal vulnerability (CWE-36), allowing attackers to copy arbitrary files from the victim's system and paste them into any specified path. This arbitrary file copy and paste capability can lead to significant information leakage if sensitive files are accessed and duplicated, as well as potential denial of service through disk space exhaustion if large volumes of files are copied. The vulnerability does not require any authentication or privileges but does require user interaction, typically via phishing. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:A), high confidentiality impact (VC:H), no integrity impact (VI:N), low availability impact (VA:L), and no scope change (SC:N). No patches or known exploits are currently available, and the vulnerability was published on November 17, 2025. The affected version is listed as '0', which may indicate an initial or default version number or a placeholder, suggesting all current versions might be impacted.

For European organizations, this vulnerability poses a significant risk primarily to confidentiality due to the arbitrary file copy capability, which could expose sensitive corporate or personal data. The ability to paste files arbitrarily could also be abused to overwrite critical files or fill storage, potentially disrupting operations. Since the attack vector is remote and requires only user interaction via phishing, organizations with users of TenderDocTransfer or related systems are at risk of targeted phishing campaigns exploiting this flaw. The lack of authentication requirements broadens the attack surface, increasing the likelihood of exploitation. Industries handling sensitive documents, such as legal, financial, or governmental sectors, could face severe data breaches or operational disruptions. Additionally, the vulnerability could be leveraged in multi-stage attacks to establish persistence or move laterally within networks. The absence of known exploits currently provides a window for proactive mitigation, but the high CVSS score underscores the urgency of addressing this issue.

Organizations should immediately assess the deployment of TenderDocTransfer within their environments and restrict its usage where possible. Network segmentation should isolate systems running this application to limit exposure. Implement strict phishing awareness and training programs to reduce the risk of user interaction exploitation. Employ endpoint protection solutions capable of detecting unusual file operations or local web server activity. Where feasible, disable or block the local web server's API endpoints at the network or host firewall level to prevent unauthorized access. Monitor logs for suspicious API calls or file operations indicative of exploitation attempts. Since no patches are currently available, consider deploying application-layer web application firewalls (WAFs) or host-based intrusion prevention systems (HIPS) with custom rules to detect and block path traversal or CSRF-like requests. Engage with Chunghwa Telecom for updates and patches and plan for prompt application updates once available. Finally, implement data loss prevention (DLP) controls to detect and prevent unauthorized copying or exfiltration of sensitive files.