Login Sign Up

CVE-2019-9848

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability in LibreOffice allows malicious documents to execute arbitrary Python commands silently without user warning. Attackers can embed scripts that trigger when documents are opened or interacted with, leading to remote code execution. It affects LibreOffice versions prior to 6.2.5.

💻 Affected Systems

Products:
  • LibreOffice
Versions: Versions prior to 6.2.5
Operating Systems: All operating systems where LibreOffice is installed
Default Config Vulnerable: ⚠️ Yes
Notes: LibreLogo feature is typically bundled and enabled by default; no special configuration required for exploitation.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Leap by Opensuse

View all CVEs affecting Leap →

Leap by Opensuse

View all CVEs affecting Leap →

Libreoffice by Libreoffice

View all CVEs affecting Libreoffice →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via remote code execution, allowing attackers to install malware, steal data, or pivot to other systems.

🟠

Likely Case

Malicious document execution leading to data theft, ransomware deployment, or credential harvesting from the victim's system.

🟢

If Mitigated

Limited impact if documents are from trusted sources only and macro execution is disabled, though the vulnerability bypasses typical macro warnings.

🌐 Internet-Facing: MEDIUM - Requires user interaction (opening a document), but malicious documents can be distributed via email or downloads.
🏢 Internal Only: HIGH - Internal users frequently share documents; a single compromised document could spread malware across the network.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user to open a malicious document; proof-of-concept details are publicly available in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.2.5 or later

Vendor Advisory: https://www.libreoffice.org/about-us/security/advisories/cve-2019-9848/

Restart Required: No

Instructions:

1. Update LibreOffice to version 6.2.5 or newer via your package manager or official download. 2. For Linux: Use 'sudo apt update && sudo apt upgrade libreoffice' (Debian/Ubuntu) or equivalent. 3. For Windows/macOS: Download and install the latest version from libreoffice.org.

🔧 Temporary Workarounds

Disable LibreLogo

all

Remove or disable the LibreLogo feature to prevent script execution.

On Linux: sudo apt remove libreoffice-script-provider-python
On Windows: Uninstall LibreLogo via Add/Remove Programs or disable in Tools > Options > LibreOffice > Advanced

Restrict Document Sources

all

Only open documents from trusted sources and disable automatic script execution.

In LibreOffice: Tools > Options > Security > Macro Security > Set to 'Very High'

🧯 If You Can't Patch

  • Use alternative office software that is not vulnerable, such as updated versions of other suites.
  • Implement application whitelisting to block LibreOffice execution entirely in high-risk environments.

🔍 How to Verify

Check if Vulnerable:

Check LibreOffice version: In the application, go to Help > About LibreOffice. If version is below 6.2.5, it is vulnerable.

Check Version:

libreoffice --version (Linux/macOS) or check via Help menu in GUI.

Verify Fix Applied:

After updating, confirm version is 6.2.5 or higher via Help > About LibreOffice. Test with a safe document that previously triggered LibreLogo events.

📡 Detection & Monitoring

Log Indicators:

  • Unusual process spawns from LibreOffice (e.g., python.exe, cmd.exe)
  • Log entries showing document events triggering scripts in LibreOffice logs

Network Indicators:

  • Outbound connections from LibreOffice process to unknown IPs, potentially indicating command-and-control activity

SIEM Query:

Process creation where parent process contains 'libreoffice' and child process is 'python' or 'cmd'

📊 Metadata

CVE ID: CVE-2019-9848
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-94
Published: July 17, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-9848, you might also want to check these:

CVE-2025-62521 10.0

CVE-2025-62521 is a critical pre-authentication remote code execution vulnerability in ChurchCRM tha...

Same vulnerability type (CWE-94)
CVE-2026-26216 10.0

Crawl4AI versions before 0.8.0 contain an unauthenticated remote code execution vulnerability in the...

Same vulnerability type (CWE-94)
CVE-2021-22205 10.0

CVE-2021-22205 is a critical remote code execution vulnerability in GitLab CE/EE where improper vali...

Same vulnerability type (CWE-94)