NAVANEM
CVE-2025-21298

Microsoft Windows OLE, remote code execution via Outlook email

Windows OLE Remote Code Execution Vulnerability.

Overview

CVE-2025-21298 is a critical remote code execution vulnerability in the Windows OLE (Object Linking and Embedding) component. The vulnerability is triggered when Microsoft Outlook renders maliciously crafted RTF content in the email body. Critically, exploitation requires no user interaction beyond having the email appear in the Preview Pane, no clicks on the email or attachments are necessary. This makes it an exceptionally dangerous attack vector for enterprise environments.

Technical Details

The vulnerability is a use-after-free condition in the Windows OLE component responsible for handling embedded objects in RTF documents. When Outlook processes an email containing specially crafted RTF content, the OLE component improperly accesses memory after it has been freed, leading to memory corruption.

The attack flow is straightforward:

  1. Attacker sends a malicious email with crafted RTF content in the body
  2. Victim's Outlook client receives the email
  3. When the user navigates to or near the email (Preview Pane renders it automatically)
  4. The OLE component processes the RTF content, triggering the use-after-free
  5. Attacker achieves arbitrary code execution in the context of the user

Microsoft has rated this vulnerability as "Exploitation More Likely," indicating that functional exploit code is expected to emerge rapidly.

Impact

The impact of this vulnerability is severe:

  • Remote Code Execution: Attackers can execute arbitrary code with the privileges of the logged-in user
  • Zero-Click Exploitation: The Preview Pane attack vector means no user interaction is required beyond receiving the email
  • Mass Exploitation Potential: Phishing-as-a-service operations could weaponize this against numerous organizations simultaneously
  • Wide Attack Surface: Most enterprise users keep Preview Pane enabled by default

While no confirmed in-the-wild exploitation was reported at the January 2025 disclosure, the trivial exploitation path makes rapid weaponization highly likely.

Mitigation

  1. Apply the January 2025 cumulative update for Windows and ensure M365 Apps are updated to current channels
  2. Workaround for delayed patching: Configure Outlook to read all email in plain text (Outlook Options → Trust Center → Email Security → "Read all standard mail in plain text"). This eliminates RTF/HTML rendering but removes the attack vector
  3. Email gateway controls: Block or sanitize RTF body content at the email gateway, RTF is rarely used in legitimate business communications

Detection

No public information available regarding specific detection signatures or indicators of compromise. Organizations should monitor for unusual Outlook process behavior, unexpected child processes spawned by Outlook, and anomalous RTF-containing emails at the gateway level.