CVE-2025-64402
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-12

Last updated on: 2025-11-13

Assigner: Apache Software Foundation

Description
Apache OpenOffice documents can contain links. A missing Authorization vulnerability in Apache OpenOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of Apache OpenOffice, documents that used "OLE objects" linked to external files would load the contents of those files without prompting the user for permission to do so. This issue affects Apache OpenOffice: through 4.1.15. Users are recommended to upgrade to version 4.1.16, which fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-12
Last Modified
2025-11-13
Generated
2026-06-16
AI Q&A
2025-11-12
EPSS Evaluated
2026-06-15
NVD
CVE-2025-64402
EUVD
EUVD-2025-124981
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache openoffice to 4.1.16 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Apache OpenOffice (up to version 4.1.15) involves a missing authorization check that allows documents containing OLE (Object Linking and Embedding) objects linked to external files to automatically load those external files without prompting the user for permission. An attacker can craft a malicious document that triggers this automatic loading of external content, potentially leading to unauthorized data access or other security risks. The issue is fixed in version 4.1.16. [1, 3]

Impact Analysis

The vulnerability can lead to unauthorized loading of external content when opening a crafted document, which may result in unauthorized data access or exposure to other security risks. This could compromise the confidentiality or integrity of your data if malicious external files are loaded without your consent. [1, 3]

Detection Guidance

This vulnerability involves Apache OpenOffice documents containing OLE objects linked to external files that load without user authorization. Detection can involve monitoring for Apache OpenOffice document files (.odt, .ods, .odp, etc.) that contain OLE objects linking to external resources. On the system, you can scan documents for embedded OLE links. On the network, monitoring for unexpected outbound connections initiated by Apache OpenOffice processes when opening documents may help detect exploitation attempts. Specific commands are not provided in the resources. [1, 3]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade Apache OpenOffice to version 4.1.16, which contains the fix for this missing authorization check vulnerability. Until the upgrade is applied, users should avoid opening untrusted documents containing OLE objects linked to external files. [1, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-64402. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart