CVE-2025-64402
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-12

Last updated on: 2025-11-13

Assigner: Apache Software Foundation

Description
Apache OpenOffice documents can contain links. A missing Authorization vulnerability in Apache OpenOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of Apache OpenOffice, documents that used "OLE objects" linked to external files would load the contents of those files without prompting the user for permission to do so. This issue affects Apache OpenOffice: through 4.1.15. Users are recommended to upgrade to version 4.1.16, which fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-12
Last Modified
2025-11-13
Generated
2026-05-07
AI Q&A
2025-11-12
EPSS Evaluated
2026-05-05
NVD
CVE-2025-64402
EUVD
EUVD-2025-124981
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache openoffice to 4.1.16 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in Apache OpenOffice (up to version 4.1.15) involves a missing authorization check that allows documents containing OLE (Object Linking and Embedding) objects linked to external files to automatically load those external files without prompting the user for permission. An attacker can craft a malicious document that triggers this automatic loading of external content, potentially leading to unauthorized data access or other security risks. The issue is fixed in version 4.1.16. [1, 3]


How can this vulnerability impact me? :

The vulnerability can lead to unauthorized loading of external content when opening a crafted document, which may result in unauthorized data access or exposure to other security risks. This could compromise the confidentiality or integrity of your data if malicious external files are loaded without your consent. [1, 3]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves Apache OpenOffice documents containing OLE objects linked to external files that load without user authorization. Detection can involve monitoring for Apache OpenOffice document files (.odt, .ods, .odp, etc.) that contain OLE objects linking to external resources. On the system, you can scan documents for embedded OLE links. On the network, monitoring for unexpected outbound connections initiated by Apache OpenOffice processes when opening documents may help detect exploitation attempts. Specific commands are not provided in the resources. [1, 3]


What immediate steps should I take to mitigate this vulnerability?

The immediate step to mitigate this vulnerability is to upgrade Apache OpenOffice to version 4.1.16, which contains the fix for this missing authorization check vulnerability. Until the upgrade is applied, users should avoid opening untrusted documents containing OLE objects linked to external files. [1, 3]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart