CVE-2025-64401
📋 TL;DR
Apache OpenOffice versions through 4.1.15 contain a missing authorization vulnerability where documents with floating frames linked to external files can load those external resources without user consent. This allows attackers to craft malicious documents that automatically fetch external content, potentially exposing users to further attacks. All users of affected Apache OpenOffice versions are vulnerable.
💻 Affected Systems
- Apache OpenOffice
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could use malicious documents to automatically load external malicious content, leading to data exfiltration, malware installation, or further exploitation of the user's system without any user interaction beyond opening the document.
Likely Case
Attackers craft documents that automatically load tracking pixels, malicious scripts, or other external resources from attacker-controlled servers, potentially leading to information disclosure about the victim's environment or enabling follow-on attacks.
If Mitigated
With proper controls, the impact is limited to potential information leakage about document opening events, but no direct system compromise if external content is properly sandboxed.
🎯 Exploit Status
Exploitation requires the victim to open a malicious document. No authentication is required once the document is opened.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.1.16
Vendor Advisory: https://www.openoffice.org/security/cves/CVE-2025-64401.html
Restart Required: Yes
Instructions:
1. Download Apache OpenOffice 4.1.16 from the official website. 2. Close all OpenOffice applications. 3. Run the installer and follow the upgrade prompts. 4. Restart your computer to ensure all components are properly updated.
🔧 Temporary Workarounds
Disable external content loading
allConfigure OpenOffice to block all external content loading
Not applicable - configuration change only
Use LibreOffice instead
allSwitch to LibreOffice which addressed similar issues earlier
sudo apt-get install libreoffice (Linux)
Download from https://www.libreoffice.org/ (Windows/macOS)
🧯 If You Can't Patch
- Only open documents from trusted sources and verify file integrity before opening
- Use document viewers that don't execute embedded content or links
🔍 How to Verify
Check if Vulnerable:
Check Help → About Apache OpenOffice and verify version is 4.1.15 or earlierCheck Version:
Open Apache OpenOffice, go to Help → About Apache OpenOfficeVerify Fix Applied:
Verify version shows 4.1.16 or later in Help → About Apache OpenOffice📡 Detection & Monitoring
Log Indicators:
- Multiple external HTTP/HTTPS requests from OpenOffice process
- Unexpected network connections initiated after opening documents
Network Indicators:
- Outbound connections to unusual domains from OpenOffice process
- HTTP GET requests for external resources triggered by document opening
SIEM Query:
process_name:"soffice.bin" OR process_name:"soffice.exe" AND (destination_port:80 OR destination_port:443) AND event_type:network_connection