CVE-2025-64402
📋 TL;DR
Apache OpenOffice versions through 4.1.15 have a missing authorization vulnerability where documents containing OLE objects with external links can automatically load those external files without user permission. This allows attackers to craft malicious documents that could access sensitive files or resources. All users of affected Apache OpenOffice versions are vulnerable.
💻 Affected Systems
- Apache OpenOffice
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker could craft a document that loads sensitive local files (like SSH keys, configuration files, or credentials) or accesses network resources without user knowledge, potentially leading to data exfiltration or further system compromise.
Likely Case
Attackers could use crafted documents to load arbitrary files from the victim's system or network shares, potentially exposing sensitive information or enabling reconnaissance for further attacks.
If Mitigated
With proper security controls like file restrictions, network segmentation, and user awareness, the impact is limited to potential information disclosure from accessible files.
🎯 Exploit Status
Exploitation requires the victim to open a malicious document. No authentication is required once the document is opened.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.1.16
Vendor Advisory: https://www.openoffice.org/security/cves/CVE-2025-64402.html
Restart Required: Yes
Instructions:
1. Download Apache OpenOffice 4.1.16 from the official website. 2. Close all OpenOffice applications. 3. Run the installer and follow the upgrade prompts. 4. Restart your computer to ensure all components are updated.
🔧 Temporary Workarounds
Disable automatic link loading
allConfigure OpenOffice to prompt before loading external links
Restrict document sources
allOnly open documents from trusted sources and avoid unknown documents
🧯 If You Can't Patch
- Implement application whitelisting to restrict which documents can be opened
- Use file system permissions to restrict access to sensitive files from OpenOffice
🔍 How to Verify
Check if Vulnerable:
Check Help → About Apache OpenOffice and verify version is 4.1.15 or earlierCheck Version:
Open OpenOffice → Help → About Apache OpenOfficeVerify Fix Applied:
Verify version shows 4.1.16 or later in Help → About Apache OpenOffice📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns from OpenOffice process
- Multiple external resource requests from OpenOffice
Network Indicators:
- Unexpected network connections initiated by OpenOffice to external resources
SIEM Query:
process_name:"soffice.bin" AND (event_type:"file_access" OR dest_ip_exists:true)