A critical security vulnerability in LibreOffice tracked as CVE-2025-1080, has exposed millions of users to potential remote code execution attacks through manipulated macro URLs.
Patched in versions 24.8.5 and 25.2.1 released on March 4, 2025, this flaw allowed attackers to bypass security protocols and execute arbitrary scripts via LibreOffice’s custom URI scheme.
The vulnerability highlights persistent risks in document collaboration workflows and underscores the necessity of rapid software updates in enterprise environments.
The vulnerability resides in LibreOffice’s implementation of the vnd.libreoffice.command URI scheme, a feature designed to enhance integration with Microsoft SharePoint servers.
LibreOffice Vulnerability Allows Script Execution
This scheme enables browser-based interactions with LibreOffice documents stored on SharePoint, streamlining workflows for organizations using mixed office suites.
According to the advisory, the versions prior to 24.8.5 and 25.2.1 failed to sanitize nested URL components within these URIs.
Attackers could craft malicious links containing embedded inner URLs that, when clicked, triggered LibreOffice’s macro execution engine with unauthorized arguments.
Security analyst Amel Bouziane-Leblond, who identified the flaw, explained: “The URI handler failed to properly sanitize nested URL components, creating an execution pipeline for untrusted code.”
Unlike typical phishing attacks requiring document downloads, this exploit is activated simply by clicking a hyperlink in a web browser, making it exceptionally stealthy.
The exploit’s design specifically targets enterprises using LibreOffice in SharePoint-integrated environments. Attackers could embed malicious payloads in seemingly legitimate document-sharing links, potentially compromising entire networks.
For example, a threat actor might distribute a SharePoint link titled “Q4 Financial Report” that, when opened, executes a macro to deploy ransomware or exfiltrate sensitive data.
This vulnerability continues a pattern of URI-handling flaws in LibreOffice, reminiscent of CVE-2022-3140 (patched in 2022) and CVE-2023-6186 (fixed in 2023), both involving improper macro execution controls.
However, CVE-2025-1080 represents a significant escalation due to its click-to-exploit nature and lack of user-facing warnings in unpatched versions.
LibreOffice’s maintainers addressed the vulnerability through multi-layered security enhancements:
- Strict URI Schema Validation: The patch introduces rigorous checks on nested URL components, blocking malformed vnd.libreoffice.command URIs.
- Mandatory Macro Permissions: All command-triggered macros now require explicit user approval through confirmation dialogs, even for documents marked as “trusted”.
- Process Sandboxing: URI-handler operations run in isolated environments, preventing system-wide compromise if exploitation occurs.
Caolán McNamara of Collabora Productivity, who developed the fix, emphasized: “These changes maintain workflow functionality while eliminating undocumented command-injection pathways”.
Organizations must update all LibreOffice installations immediately, prioritizing endpoints interfacing with SharePoint or cloud collaboration platforms.
Mitigations
- Immediate Patching: Upgrade to LibreOffice 24.8.5 or 25.2.1 from the official website or through package managers.
- Network Monitoring: Scan logs for unusual vnd.libreoffice.command URI activations, particularly from untrusted sources.
- User Training: Educate staff on recognizing suspicious SharePoint links and reinforce policies against clicking unsolicited document URLs.
- Macro Hardening: Restrict macro execution to digitally signed scripts via Tools > Options > LibreOffice > Security > Macro Security
CVE-2025-1080 underscores the evolving challenges of securing open-source office suites against sophisticated social engineering attacks.
While LibreOffice’s rapid patching demonstrates improved responsiveness compared to earlier vulnerabilities like CVE-2022-3140, the recurrence of URI-handling flaws suggests a need for architectural audits of browser integration features.
As enterprises increasingly adopt hybrid office environments, cross-platform compatibility features will remain prime attack surfaces.
LibreOffice users must remain vigilant, treating even familiar collaboration platforms as potential threat vectors until comprehensive security frameworks become industry standard.
With cybercriminals increasingly targeting open-source software’s trust model, the burden falls on both developers and users to maintain the delicate balance between functionality and security.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free