Zero-Click Outlook RCE Vulnerability (CVE-2025-21298), PoC Released

Microsoft issued a critical patch to address CVE-2025-21298, a zero-click Remote Code Execution (RCE) vulnerability in Windows Object Linking and Embedding (OLE).

This flaw exploits a double-free bug in the ole32.dll library, putting millions of systems at risk with minimal user interaction.

Alarmingly, a Proof of Concept (PoC) exploit has already been published online, accelerating the urgency for organizations to respond.

Zero-Click Attack Vector

Unlike traditional RCE exploits that require users to click on malicious links or open infected files, CVE-2025-21298 operates without direct user action.

Simply previewing a malicious RTF file in Microsoft Outlook is enough to trigger the exploit, making it highly dangerous in environments with large email volumes.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

The vulnerability affects a wide array of systems, from Windows Server 2008 to Server 2025, and Windows 10/11 workstations.

While Microsoft Exchange Server and Outlook are not inherently vulnerable, they can act as gateways for delivering specially crafted RTF payloads.

The flaw lies in the UtOlePresStmToContentsStm function, used by ole32.dll to process embedded objects in RTF files. A memory mismanagement issue (double-free) allows heap corruption and potential arbitrary code execution.

1. Stream Creation and Release: The function improperly frees a pointer (pstmContents) used to represent a content stream, leaving a dangling pointer.
2. Error Handling Flaw: If an error later occurs, the pointer is released again, causing heap corruption.
3. Arbitrary Code Execution: Malicious actors use crafted RTF files to trigger the bug, enabling remote control of the system.

Proof of Concept (PoC)

A public PoC for CVE-2025-21298 has been shared on GitHub (github.com/ynwarcs/CVE-2025-21298), demonstrating how attackers can easily exploit the vulnerability.

Although public exploitation isn’t yet widespread, the availability of PoC code increases the likelihood of attacks targeting this flaw.

As per a report by Vulnu, Microsoft’s January 2025 update resolves the issue by nullifying the pointer after the initial release, preventing reuse. The patch also includes enhancements to OLE’s memory-handling logic.

1. Install Updates: Apply the January 2025 security patch via your organization’s update management solution.
2. Disable RTF Previews: Temporarily configure Outlook and email clients to display messages in plain text.
3. Email Security: Strengthen spam filters and use advanced threat detection tools to scan attachments.

CVE-2025-21298 exemplifies the growing sophistication of zero-click exploits. To mitigate the threat, organizations must act quickly—install patches, review security protocols, and educate users.

The publication of PoC code raises the stakes, making timely action critical to safeguarding systems from abuse.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar