CVE-2025-32673 identifies a security vulnerability in the epeken Epeken All Kurir software, specifically versions up to 2.0.6. The core issue is a Cross-Site Request Forgery (CSRF) vulnerability, which allows attackers to trick authenticated users into submitting unwanted requests to the application without their consent. This can lead to unauthorized actions being executed with the victim's privileges. Compounding this, the vulnerability also enables Stored Cross-Site Scripting (XSS), where malicious scripts injected by an attacker are persistently stored on the server and executed in the browsers of users who access the affected content. This combination of CSRF and Stored XSS significantly increases the attack surface, allowing attackers to hijack user sessions, steal sensitive information, manipulate data, or perform administrative actions. The vulnerability affects all versions up to and including 2.0.6, with no patches or fixes currently linked or available. No known exploits have been reported in the wild, but the presence of these vulnerabilities indicates a critical weakness in the input validation and request verification mechanisms of the software. The lack of a CVSS score necessitates an expert severity assessment based on the potential impact and exploitability.

The impact of this vulnerability is substantial for organizations using the epeken Epeken All Kurir platform. Successful exploitation can lead to unauthorized actions performed on behalf of legitimate users, including administrative functions, data manipulation, or disruption of services. Stored XSS can compromise user confidentiality by stealing session tokens, credentials, or other sensitive data, and can also be used to spread malware or conduct phishing attacks. The integrity of the system is at risk due to unauthorized data changes, and availability could be affected if attackers disrupt normal operations. Organizations relying on this software for logistics, shipping, or e-commerce operations may face operational disruptions, reputational damage, and potential regulatory consequences if customer data is compromised. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits once the vulnerability details are public.

To mitigate this vulnerability, organizations should implement robust anti-CSRF protections such as synchronizer tokens or double-submit cookies to ensure that all state-changing requests are verified as legitimate. Input validation and output encoding should be enforced to prevent Stored XSS, ensuring that user-supplied data is sanitized before storage and rendering. Monitoring and logging of unusual user activities can help detect exploitation attempts early. Until an official patch is released, consider applying virtual patching via Web Application Firewalls (WAFs) to block suspicious requests targeting CSRF and XSS vectors. Educate users about the risks of clicking on untrusted links or executing unknown scripts. Regularly update and audit the epeken Epeken All Kurir installation and related dependencies. Engage with the vendor for timely patch releases and apply them promptly once available.