Apache OpenOffice has launched model 4.1.16, addressing seven essential safety vulnerabilities that allow unauthorized distant doc loading and reminiscence corruption assaults.
These flaws signify a big safety danger to customers of the favored open-source workplace suite. Essentially the most extreme vulnerabilities contain unauthorized distant content material loading with out consumer prompts or warnings.
Attackers can exploit these weaknesses to load malicious exterior paperwork by means of a number of assault vectors:
Unauthorized Distant Content material Loading
CVE-2025-64401 permits distant doc loading by way of IFrame components, whereas CVE-2025-64402 leverages OLE objects for a similar objective.
CVE-2025-64403 exploits the Calc spreadsheet software by means of exterior information sources, and CVE-2025-64404 abuses background and bullet photos.
Moreover, CVE-2025-64405 manipulates the DDE perform to fetch distant content material with out consumer interplay.
These distant content-loading vulnerabilities create alternatives for attackers to ship malware and steal delicate info.
Conduct focused phishing campaigns by embedding malicious content material in seemingly reputable workplace paperwork.
Reminiscence Corruption and Information Exfiltration
Past unauthorized content material loading, CVE-2025-64406 introduces a essential reminiscence corruption vulnerability throughout CSV file imports.
This flaw may allow arbitrary code execution if efficiently exploited with specifically crafted CSV information. OpenOffice regarding the situation is CVE-2025-64407, which permits URL fetching to extract arbitrary INI file values and setting variables.
This vulnerability permits attackers to extract delicate configuration information and system info from affected methods.
Customers ought to replace to Apache OpenOffice 4.1.16 instantly to patch these vulnerabilities. The affected variations embody all installations earlier than 4.1.16.
Organizations counting on OpenOffice for doc processing ought to prioritize this replace of their patch administration schedules.
The earlier model 4.1.15 addressed further essential points, together with use-after-free vulnerabilities, arbitrary file write capabilities in Base, and macro execution flaws.
These layered fixes exhibit ongoing safety challenges within the OpenOffice codebase. OpenOffice system directors ought to implement the next measures: Deploy model 4.1.16 throughout all methods, prohibit macro execution insurance policies.
Disable DDE features when not required and implement community monitoring to detect suspicious document-loading conduct. Customers ought to train warning when opening paperwork from untrusted sources till updates are absolutely deployed.
Comply with us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to function your tales.
