CVE-2019-9848

CRITICAL

LibreOffice < 6.2.5 - Remote Code Execution via LibreLogo Python Command Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-9848. PoCs published by Nils Emmerich, Shelby Pace, LoadLow, Gabriel Masei, including Metasploit module exploits/multi/fileformat/libreoffice_logo_exec.

AI-analyzed exploit summary This Metasploit module exploits CVE-2018-16858 in LibreOffice by generating an ODT file with a malicious macro that executes arbitrary Python code, leading to remote code execution (RCE). The payload is embedded as a base64-encoded string and executed via Python's eval function.

Description

LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a programmable turtle vector graphics script, which can be manipulated into executing arbitrary python commands. By using the document event feature to trigger LibreLogo to execute python contained within a document a malicious document could be constructed which would execute arbitrary python commands silently without warning. In the fixed versions, LibreLogo cannot be called from a document event handler. This issue affects: Document Foundation LibreOffice versions prior to 6.2.5.

Exploits (1)

metasploit WORKING POC NORMAL
by Nils Emmerich, Shelby Pace, LoadLow, Gabriel Masei · rubypocpython
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/fileformat/libreoffice_logo_exec.rb

This Metasploit module exploits CVE-2018-16858 in LibreOffice by generating an ODT file with a malicious macro that executes arbitrary Python code, leading to remote code execution (RCE). The payload is embedded as a base64-encoded string and executed via Python's eval function.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: LibreOffice (versions affected by CVE-2018-16858)
No auth needed
Prerequisites: Target must open the malicious ODT file in a vulnerable version of LibreOffice
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (10)

Core 10
Core References
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4063-1/
Broken Link vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/109374
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201908-13
Mailing List, Third Party Advisory mailing-list x_refsource_bugtraq
https://seclists.org/bugtraq/2019/Aug/28
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00006.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00067.html
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/10/msg00005.html

Scores

CVSS v3 9.8
EPSS 0.3070
EPSS Percentile 98.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-94
Status published
Products (9)
canonical/ubuntu_linux 16.04
canonical/ubuntu_linux 18.04
canonical/ubuntu_linux 19.04
debian/debian_linux 8.0
fedoraproject/fedora 29
fedoraproject/fedora 30
libreoffice/libreoffice < 6.2.5
opensuse/leap 15.0
opensuse/leap 15.1
Published Jul 17, 2019
Tracked Since Feb 18, 2026