CVE-2025-11940 is a vulnerability identified in the LibreWolf browser's installer component on Windows platforms, specifically affecting versions up to 143.0.4-1. The issue arises from an uncontrolled search path in the file assets/setup.nsi, which is part of the installer script. This flaw allows an attacker with local access and low-level privileges to manipulate the search path used during installation or setup, potentially causing the installer to load malicious files or code. The attack complexity is high, indicating that exploitation requires significant skill and conditions, and no user interaction is necessary. The vulnerability impacts confidentiality, integrity, and availability by potentially enabling local privilege escalation or arbitrary code execution. The vulnerability has been assigned a CVSS 4.0 score of 7.3, reflecting its high severity. The patch identified by commit dd10e31dd873e9cb309fad8aed921d45bf905a55 addresses the issue, and upgrading to LibreWolf version 144.0-1 fully mitigates the risk. No known exploits have been reported in the wild, but the vulnerability's nature warrants prompt remediation to prevent future attacks.

For European organizations, this vulnerability poses a significant risk primarily in environments where LibreWolf is deployed on Windows systems. The local attack vector means that threat actors would need some form of initial access, such as through compromised user accounts or insider threats. Successful exploitation could lead to local privilege escalation, allowing attackers to execute arbitrary code with elevated privileges, potentially compromising sensitive data and system integrity. This could disrupt business operations and lead to data breaches, especially in sectors with high security requirements such as finance, government, and critical infrastructure. The high complexity and lack of known exploits reduce immediate risk but do not eliminate the threat, particularly in targeted attacks. Organizations relying on LibreWolf for secure browsing or privacy-focused applications must consider this vulnerability a priority for patching to maintain their security posture.

European organizations should immediately upgrade all affected LibreWolf installations on Windows to version 144.0-1 or later, which contains the patch for this vulnerability. Beyond upgrading, organizations should enforce strict local access controls and monitor for unusual installer activity or unauthorized file modifications in installation directories. Implement application whitelisting to prevent unauthorized executables from running during installation processes. Conduct regular audits of user privileges to minimize the number of users with local low-level privileges that could be leveraged in such attacks. Additionally, educate users about the risks of local attacks and ensure endpoint protection solutions are up to date to detect potential exploitation attempts. For environments where upgrading is delayed, consider isolating affected systems and restricting access to trusted personnel only.