Critical Vulnerability in LibreOffice Exposes Windows Users to Remote Code Execution Risk

Critical LibreOffice Vulnerabilities Expose Windows Users to Remote Code Execution Risk

A critical security vulnerability (CVE-2025-0514) has been discovered in LibreOffice, a widely used open-source office suite, exposing Windows users to the risk of remote code execution (RCE). The flaw, which has been patched in the latest version (LibreOffice 24.8.5), allows attackers to execute arbitrary code through specially crafted hyperlinks in documents.

The Vulnerability Explained

The vulnerability stems from improper input validation in LibreOffice’s handling of hyperlinks on Windows systems. When users press CTRL + Click on a hyperlink in a document, the application passes the link to Windows’ ShellExecute function for processing. This function handles the execution of links, but LibreOffice includes a mechanism designed to block executable file paths from being processed in order to prevent unintentional program launches.

However, researchers found that this safeguard could be bypassed by using non-file URLs—such as those mimicking Windows file paths. For example, links formatted like \\attacker-server\malicious.exe could be misinterpreted as local file paths, bypassing LibreOffice’s filters and triggering the execution of malicious payloads on a user’s system.

This vulnerability affects LibreOffice versions 24.8 through 24.8.4 on Windows systems. Successful exploitation requires user interaction—victims must click the malicious hyperlink while holding the CTRL key. Malicious actors can exploit this flaw by embedding crafted links in seemingly harmless documents, such as invoices or reports, increasing the likelihood of activation.

Fix and Mitigation

LibreOffice’s development team addressed the issue in version 24.8.5, which enhances the application’s ability to validate hyperlink targets before processing them. The fix blocks non-file URL misinterpretations that could lead to the execution of malicious files. The update was officially released on February 25, 2025, and users are strongly urged to upgrade to this version immediately to mitigate the risk.

Security Recommendations

Security teams recommend that all Windows users upgrade to LibreOffice 24.8.5 or later to protect themselves from this vulnerability. For organizations that cannot patch immediately, alternatives such as disabling hyperlink execution within LibreOffice’s settings or using application whitelisting to block unauthorized executables may serve as temporary mitigations.

Although no active exploitation has been reported, the public disclosure of technical details increases the likelihood of attackers weaponizing this vulnerability. Administrators should also ensure that endpoint monitoring is in place to detect anomalous processes, especially those triggered by document workflows.

Acknowledgments

This vulnerability was identified and responsibly reported by Amel Bouziane-Leblond, who highlighted the ease with which attackers could exploit the flaw. The patch was developed by Caolán McNamara from Collabora Productivity and Stephen Bergman from allotropia. Their efforts have ensured that LibreOffice users can now securely interact with documents containing hyperlinks without fearing malicious exploitation.

For further details, users can visit the official LibreOffice security advisory, and it's recommended that businesses prioritize patching to prevent potential security breaches.

Conclusion

While LibreOffice’s hyperlink feature is designed for user convenience, it inadvertently created a vector for attack, showing how even simple functions can be exploited if not properly secured. As this vulnerability highlights ongoing challenges in securing document-processing applications, it emphasizes the importance of regular software updates and user awareness in preventing future cyber threats.