CVE-2018-16858

HIGH

LibreOffice Macro Python Code Execution

Title source: metasploit
STIX 2.1

Exploitation Summary

EIP tracks 6 public exploits for CVE-2018-16858. PoCs published by Metasploit, 4nimanegra, Henryisnotavailable, including Metasploit module exploits/multi/fileformat/libreoffice_macro_exec.

AI-analyzed exploit summary This Metasploit module exploits CVE-2018-16858, a directory traversal vulnerability in LibreOffice that allows arbitrary code execution via malicious ODT files. It generates an ODT file with a mouse-over event triggering a Python script execution through a path traversal flaw.

Description

It was found that libreoffice before versions 6.0.7 and 6.1.3 was vulnerable to a directory traversal attack which could be used to execute arbitrary macros bundled with a document. An attacker could craft a document, which when opened by LibreOffice, would execute a Python method from a script in any arbitrary file system location, specified relative to the LibreOffice install location.

Exploits (6)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalmultiple
https://www.exploit-db.com/exploits/46727

This Metasploit module exploits CVE-2018-16858, a directory traversal vulnerability in LibreOffice that allows arbitrary code execution via malicious ODT files. It generates an ODT file with a mouse-over event triggering a Python script execution through a path traversal flaw.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: LibreOffice (versions with bundled Python macros)
No auth needed
Prerequisites: Victim interaction (mouse-over event) · LibreOffice with Python macro support
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 3 stars
by 4nimanegra · poc
https://github.com/4nimanegra/libreofficeExploit1

This repository provides a detailed writeup and proof-of-concept exploit for CVE-2018-16858, a vulnerability in LibreOffice that allows arbitrary Python code execution via maliciously crafted ODT files. The exploit leverages directory traversal in hyperlink event handlers to execute Python scripts without user warning.

Classification
Working Poc | Writeup 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: LibreOffice < 6.1.5
No auth needed
Prerequisites: Ability to deliver a maliciously crafted ODT file to the target · Target must open the file in a vulnerable version of LibreOffice
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by Henryisnotavailable · poc
https://github.com/Henryisnotavailable/CVE-2018-16858-Python

This Python script generates a malicious FODT file to exploit CVE-2018-16858, a remote code execution vulnerability in LibreOffice. It embeds a crafted link and command into the document, which executes when opened.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: LibreOffice (versions affected by CVE-2018-16858)
No auth needed
Prerequisites: Python environment · FODT-Template file · Victim to open the malicious file
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER 1 stars
by bantu2301 · poc
https://github.com/bantu2301/CVE-2018-16858

This repository contains a Python script designed to detect exploitation attempts of CVE-2018-16858 by monitoring network traffic for specific signatures and payloads. It analyzes captured packets to identify potential attackers and their targets.

Classification
Scanner 90%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Python pydoc module (Python 3.5.5)
No auth needed
Prerequisites: Network access to monitor traffic · tcpdump installed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER 1 stars
by phongld97 · poc
https://github.com/phongld97/detect-cve-2018-16858

This repository contains a Python script designed to detect exploitation attempts of CVE-2018-16858 by monitoring network traffic for specific signatures and extracting attacker IP/port from shellcode. It does not exploit the vulnerability but analyzes traffic for signs of exploitation.

Classification
Scanner 90%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: LibreOffice (versions affected by CVE-2018-16858)
No auth needed
Prerequisites: Network access to monitor traffic · sudo privileges for tcpdump
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
by Alex Inführ, Shelby Pace · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/fileformat/libreoffice_macro_exec.rb

This Metasploit module exploits CVE-2018-16858 in LibreOffice by generating a malicious ODT file that leverages a directory traversal vulnerability to execute arbitrary Python code via a mouse-over event, leading to RCE.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: LibreOffice (versions with bundled Python macros)
No auth needed
Prerequisites: Victim interaction (mouse-over event) · LibreOffice with Python macro support
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8
Core References
Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16858
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/152560/LibreOffice-Macro-Code-Execution.html
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/46727/
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:2130
Mailing List mailing-list x_refsource_bugtraq
https://seclists.org/bugtraq/2019/Aug/28

Scores

CVSS v3 7.8
EPSS 0.9234
EPSS Percentile 99.7%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-22 CWE-356
Status published
Products (1)
libreoffice/libreoffice < 6.0.7
Published Mar 25, 2019
Tracked Since Feb 18, 2026