CVE-2025-14714 is an authentication bypass vulnerability classified under CWE-288, affecting LibreOffice on macOS versions 25.2 prior to 25.2.4. LibreOffice bundles a Python interpreter that inherits the Transparency, Consent, and Control (TCC) permissions granted by the user to the main application bundle. TCC is a macOS security framework that controls access to sensitive resources such as the camera, microphone, and file system. The vulnerability allows an attacker with local access and low privileges to execute the bundled Python interpreter directly, thereby running malicious scripts with the same TCC permissions as the main LibreOffice application. This bypasses the intended security model where only the main application should have these permissions. The root cause is the lack of parent-constraints on the interpreter’s launch, allowing it to be invoked independently with elevated privileges. The fix implemented in LibreOffice 25.2.4 and later versions enforces parent-constraints, ensuring only the main application can launch the interpreter with TCC permissions. The vulnerability does not require user interaction and has no known exploits in the wild. The CVSS 4.0 score is 0.9, reflecting low severity due to the requirement for local low-privilege access and limited scope of impact. However, it poses a risk of privilege escalation on affected macOS systems running vulnerable LibreOffice versions.

For European organizations, the primary impact of this vulnerability lies in the potential for local attackers or malicious insiders to escalate privileges on macOS systems running vulnerable LibreOffice versions. By exploiting this flaw, attackers could gain unauthorized access to sensitive resources protected by TCC, such as user files, camera, microphone, or other privacy-sensitive components. This could lead to data leakage, unauthorized surveillance, or further lateral movement within the network. Although exploitation requires local access, environments with shared workstations, remote desktop access, or insufficient endpoint security controls are at higher risk. The vulnerability could undermine compliance with European data protection regulations (e.g., GDPR) if sensitive personal data is accessed or exfiltrated. Given LibreOffice’s popularity in European public administrations, educational institutions, and enterprises, the vulnerability could affect a significant user base. However, the low severity and absence of known exploits reduce the immediate risk. Prompt patching will mitigate potential impacts effectively.

European organizations should prioritize updating LibreOffice on macOS to version 25.2.4 or later, where the vulnerability is fixed by enforcing parent-constraints on the bundled Python interpreter. Additionally, organizations should audit macOS endpoint configurations to ensure TCC permissions are appropriately managed and restrict local user privileges to the minimum necessary. Implement endpoint detection and response (EDR) solutions capable of monitoring unusual script execution or interpreter launches. Educate users about the risks of running untrusted scripts and enforce application whitelisting policies to prevent unauthorized execution of bundled interpreters outside the main application context. Regularly review and restrict local user accounts to reduce the attack surface. For environments with shared or remote access, strengthen authentication controls and session monitoring. Finally, maintain an up-to-date inventory of software versions to quickly identify and remediate vulnerable installations.