CVE-2025-1080
📋 TL;DR
This vulnerability in LibreOffice allows attackers to craft malicious links using the 'vnd.libreoffice.command' URI scheme that can execute internal macros with arbitrary arguments when clicked in a browser. It affects LibreOffice users running versions 24.8.0-24.8.4 or 25.2.0 who have browser integration enabled. Successful exploitation could lead to arbitrary code execution on the victim's system.
💻 Affected Systems
- LibreOffice
📦 What is this software?
Libreoffice by Libreoffice
Libreoffice by Libreoffice
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with the privileges of the LibreOffice user, potentially leading to full system compromise, data theft, or ransomware deployment.
Likely Case
Arbitrary macro execution leading to document manipulation, data exfiltration, or installation of malware through social engineering attacks.
If Mitigated
Limited impact if macros are disabled or browser integration is not used, though some functionality loss may occur.
🎯 Exploit Status
Exploitation requires social engineering to make users click malicious links but is technically straightforward once the link is crafted.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 24.8.5 or 25.2.1
Vendor Advisory: https://www.libreoffice.org/about-us/security/advisories/cve-2025-1080
Restart Required: Yes
Instructions:
1. Update LibreOffice to version 24.8.5 or 25.2.1 via your package manager or official website. 2. Restart LibreOffice after installation. 3. Verify the update was successful.
🔧 Temporary Workarounds
Disable browser integration
allPrevent LibreOffice from handling vnd.libreoffice.command URI scheme in browsers
On Linux: Remove or modify .desktop file associations
On Windows: Modify registry HKEY_CLASSES_ROOT\vnd.libreoffice.command
Disable macros
allPrevent macro execution which limits exploit impact
Tools → Options → LibreOffice → Security → Macro Security → Set to 'Very High'
🧯 If You Can't Patch
- Implement application whitelisting to block unauthorized LibreOffice execution
- Use network filtering to block malicious URI schemes at perimeter
🔍 How to Verify
Check if Vulnerable:
Check LibreOffice version via Help → About LibreOfficeCheck Version:
libreoffice --version (Linux/macOS) or check About dialog (Windows)Verify Fix Applied:
Confirm version is 24.8.5 or higher (for 24.8 branch) or 25.2.1 or higher (for 25.2 branch)📡 Detection & Monitoring
Log Indicators:
- Unusual LibreOffice processes spawning from browser sessions
- Execution of macros from unexpected sources
Network Indicators:
- HTTP/HTTPS requests containing 'vnd.libreoffice.command' scheme
- Unusual outbound connections after LibreOffice launches
SIEM Query:
process_name:"soffice.bin" AND parent_process:"browser.exe" OR cmdline:"vnd.libreoffice.command"