LibreOffice Flaws Allow Attackers to Run Malicious Files on Windows

A high-severity security vulnerability (CVE-2025-0514) in LibreOffice, the widely used open-source office suite, has been patched after researchers discovered it could allow attackers to execute malicious files on Windows systems by exploiting hyperlink handling mechanisms.

The flaw, which impacts versions before 24.8.5, revolves around improper validation of non-file URLs interpreted as Windows file paths through the ShellExecute function.

Vulnerability Mechanism

The exploit leverages LibreOffice’s hyperlink activation feature, typically triggered by CTRL+click.

Under normal circumstances, the software blocks paths pointing to executable files when passed to Windows’ ShellExecute API to prevent unintended program launches.

However, researchers found that specially crafted non-file URLs—such as those using alternative URI schemes or encoding techniques—could bypass these safeguards.

This allows attackers embedding malicious links in documents (e.g., .odt, .ods) to execute arbitrary code when recipients interact with the content, even without macros enabled.

Patch and Mitigation

LibreOffice maintainers released version 24.8.5 on February 25, 2025, introducing enhanced validation checks that block non-file URL interpretations as local file paths.

Collabora Productivity engineer Caolán McNamara and allotropia developer Stephen Bergman spearheaded the fix, which modifies how the software processes hyperlink targets before system handoff.

Organizations and individual users must update immediately, as unpatched systems remain vulnerable to document-based attack vectors commonly distributed via phishing campaigns.

Security researcher Amel Bouziane-Leblond identified and reported the flaw through LibreOffice’s responsible disclosure channels.

“This bypass demonstrates how subtle differences in URI parsing across systems can undermine security assumptions,” Bouziane-Leblond noted in the advisory.

The development team has urged users to scrutinize unsolicited documents and avoid enabling hyperlinks from untrusted sources.

While CVE-2025-0514 primarily affects Windows installations, the incident highlights persistent challenges in securing document-processing workflows against evolving attack methodologies.

LibreOffice’s patch follows similar recent vulnerabilities in competing office suites, underscoring the importance of routine software updates in enterprise environments.

Administrators are advised to enforce centralized update policies and combine patching with user education to mitigate social engineering risks.

The LibreOffice community has not observed active exploitation attempts but classifies the flaw as critical due to its potential impact.

Users can download the patched version directly from the project’s official repository or through Linux distribution maintainers.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free