CVE-2025-21298: Critical Windows OLE Zero-Click RCE

Q: What is the CVSS score of CVE-2025-21298?

The CVSS score is 9.8 , classifying it as critical . This rating reflects the vulnerability's ability to be exploited remotely, without authentication or user interaction.

Table of Contents

What is CVE-2025-21298?

CVE-2025-21298 is a critical remote code execution (RCE) vulnerability in Microsoft Windows’ Object Linking and Embedding (OLE) component. The flaw resides in the ole32.dll library, specifically within the UtOlePresStmToContentsStm function, which processes embedded OLE objects in Rich Text Format (RTF) files. A double-free condition in this function can be exploited to execute arbitrary code without user interaction.

Quick Facts

CVE ID: CVE-2025-21298
Severity: Critical
CVSS Score: 9.8
Attack Vector: Remote
Privileges Required: None
User Interaction: None (Zero-Click)
Impact: Remote Code Execution

Who Should Be Concerned?

Organizations and individuals using the following Windows versions are at risk:

Windows 10 (versions 1507, 1607, 1809, 21H2, 22H2)
Windows 11 (versions 22H2, 23H2, 24H2)
Windows Server (2008, 2008 R2, 2012, 2012 R2, 2016, 2019, 2022, 2025)

Given the widespread use of Microsoft Outlook and Word, which can process RTF files, the potential impact is significant.

Exploitation Details

An attacker can exploit this vulnerability by sending a specially crafted RTF file containing malicious OLE objects. When the victim previews or opens the file in applications like Microsoft Outlook or Word, the double-free condition is triggered, leading to memory corruption and potential code execution. Notably, this is a zero-click vulnerability; merely previewing the email is sufficient to trigger the exploit.

Potential Impact

Successful exploitation can result in:

Installation of malicious programs
Unauthorized access to sensitive data
Creation of new accounts with full user rights.

The vulnerability has a CVSS score of 9.8, categorizing it as critical.

Vulnerability Timeline

Discovery Date: January 2025
Public Disclosure: January 2025
Patch Release: January 2025

Proof of Concept (PoC)

A proof-of-concept demonstrating the memory corruption issue has been published on GitHub. The PoC involves a crafted RTF file designed to trigger the double-free condition in the ole32.dll library.

rtf

{\rtf1
{\object\objhtml\objw1\objh1\objupdate\rsltpict
{\*\objclass None}
{\*\objdata 0105000002000000
0a000000
53746174696344696200
00000000
00000000
04000000
00000000
00000000
05000000
02000000
aa00
02000000
00000000
}
}}

This RTF content, when processed by vulnerable applications, can lead to memory corruption and potential code execution.

Mitigation Strategies

Apply Security Updates: Microsoft has released patches addressing this vulnerability. Ensure all systems are updated.
Restrict RTF Processing: Limit the use of RTF files in email clients and consider converting emails to plain text.
User Training: Educate users about the risks of opening unsolicited attachments.
Implement Security Tools: Utilize antivirus and endpoint protection solutions that can detect and block malicious RTF files.

Conclusion

CVE-2025-21298 poses a significant threat due to its zero-click nature and the availability of proof-of-concept code. Organizations must prioritize patching and implement defensive measures to mitigate the risk associated with this vulnerability.

CVE-2025-21298 FAQs

What is CVE-2025-21298?

CVE-2025-21298 is a critical zero-click RCE vulnerability in Windows OLE, allowing attackers to execute code via crafted RTF files.

Which Windows versions are affected?

Multiple versions, including Windows 10, 11, and various Windows Server editions.

Has Microsoft released a patch for CVE-2025-21298?

Yes, patches were released in January 2025.

Is there any known exploitation in the wild?

As of now, there are no confirmed reports of active exploitation.

How can I protect my systems?

Apply the latest security updates, restrict RTF processing, and educate users about potential risks.

Does this vulnerability require user interaction?

No, it is a zero-click vulnerability; merely previewing a malicious email can trigger it.

What is the CVSS score of CVE-2025-21298?

The CVSS score is 9.8, classifying it as critical. This rating reflects the vulnerability’s ability to be exploited remotely, without authentication or user interaction.

Where can I find the official CVE page for CVE-2025-21298?

The National Vulnerability Database (NVD) has an official page detailing CVE-2025-21298, including technical metrics and patch references. You can view it at: https://nvd.nist.gov/vuln/detail/CVE-2025-21298

Does this vulnerability only affect Microsoft Outlook?

No. While Outlook is a primary vector for attack due to RTF previewing, any application that uses the vulnerable ole32.dll library and opens malicious RTF content is potentially exploitable — including Microsoft Word and third-party software.

Can disabling OLE features mitigate CVE-2025-21298?

Disabling OLE object rendering or restricting RTF support in applications can reduce exposure but does not replace the need to patch. Mitigation should be layered: patching, configuration hardening, and user awareness.