New Vulnerability in LibreOffice Allows Attackers to Execute Malicious Files
A new critical vulnerability (CVE-2025-0514) has been discovered in LibreOffice, which has now been patched. Researchers have found that attackers can exploit specially crafted documents to execute malicious files on Windows systems.
This vulnerability has been rated 7.2 on the CVSS 4.0 scale, as it enables remote code execution (RCE). Specifically, it exploits LibreOffice’s hyperlink handling mechanism.
It has been identified that the input validation mechanism in LibreOffice’s hyperlink processing on Windows is insufficiently robust.
When a user clicks on a hyperlink in a document, the program passes it to the Windows ShellExecute function, which handles link opening or file execution.
Normally, LibreOffice has a security mechanism that blocks the execution of dangerous files via ShellExecute. However, attackers have found a way to bypass this protection by using non-standard URLs that mimic local file paths. For example:
\\hacker-server\malicious.exeSuch a link is perceived by LibreOffice as safe but is actually passed to ShellExecute, leading to the execution of malicious code.
This vulnerability affects LibreOffice versions 24.8 – 24.8.4. Successful exploitation requires user interaction, meaning the victim must hold the CTRL key and click the link.
However, attackers can deceive users by embedding malicious links in invoices, reports, or other official documents, increasing the likelihood of activation.
This issue was addressed in LibreOffice 24.8.5. The update implements a special mechanism that prevents incorrect interpretation of non-standard URLs via ShellExecute.
The fix was developed by leading LibreOffice contributors Stephen Bergman (allotropia) and Caolán McNamara (Collabora).
Organizations and individual users are advised to take the following security measures:
✔ Urgently update LibreOffice – install version 24.8.5 or later.
✔ Restrict hyperlink execution – disable automatic hyperlink execution in LibreOffice settings.
✔ Use a whitelisting strategy – allow only trusted applications and processes to run on your system.
✔ Isolate applications – consider running LibreOffice in a virtual environment or systems with additional security layers.
✔ Enhance network monitoring – utilize advanced cybersecurity tools to detect suspicious activity early.
The new CVE-2025-0514 vulnerability in LibreOffice allows attackers to remotely execute malicious files on Windows systems. Such exploits increase the risk of malware propagation in corporate networks.
There is no evidence of active exploitation of this vulnerability yet. However, the publication of technical details may lead to an increase in attacks in the future.
Therefore, users should urgently update LibreOffice, strengthen security measures, and exercise caution when opening documents from unverified sources.
Remember: Cybersecurity requires constant vigilance and caution!
