Vulnerability description:
Microsoft Windows:CVE-2025-21298is a critical vulnerability in Windows OLE for remote code execution with a CVSS score of 9.8. An attacker can exploit this vulnerability by sending a specially crafted email to a Microsoft Outlook user. Simply opening or previewing the malicious email will trigger arbitrary code execution on the victim's system.
Vulnerability POC:
The CVE-2025-21298 vulnerability is located in the ole32.dll file and is specifically due to a double release error in the UtOlePresStmToContentsStm function. This function is responsible for handling OLE objects embedded in Rich Text Format (RTF) files, a common feature in Microsoft Outlook.
The problem is in the pstmContents variable. Initially, it was used to store a pointer to the "CONTENTS" stream object created at the beginning of the function. The stream is destroyed immediately after its creation, and the pointer pstmContents stored in it is released (this releases it in coml2.dll!ExposedStream::~ExposedStream). However, the variable still contains the freed pointer. Deeper in the function, the variable may be repurposed to store the pointer to the "CONTENTS" stream again - so there is cleanup code at the end of the function that frees the pointer if it is stored in the variable. The code does not take into account the fact that UtReadOlePresStmHeader may fail - if this happens, pstmContents will still point to the freed pointer, and we will enter the cleanup code, which will free the pointer again. Thus, a double release will occur.
An attacker can exploit this vulnerability by simply emailing a carefully crafted RTF file that, when previewed in Outlook, triggers a double-release condition that results in the execution of arbitrary code without any user interaction.
POC:
https://github.com/expdb2015/CVE-2025-21298
Video:
Impact of the vulnerability:
Affected operating systems:
Windows 10, 11, Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019, 2022, 2025.
Solution:
1. Reading emails in plain text: Configuring Microsoft Outlook to display emails in plain text reduces the risk of triggering malicious OLE objects. However, this method affects the readability of the email as rich text content (such as images and special fonts) will no longer be displayed correctly.
2. Avoid opening RTF files from untrusted sources: Users should be cautious of emails containing RTF attachments or content, especially from unknown senders.
3. Application of the principle of least privilege: limiting user privileges to minimize the impact of a successful attack.
refer to:
https://attackerkb.com/topics/cve-2025-21298
CVE-2025-21298
https://support.microsoft.com/help/5049981
https://support.microsoft.com/help/5049983
https://support.microsoft.com/help/5049984
https://support.microsoft.com/help/5049993
https://support.microsoft.com/help/5050004
https://support.microsoft.com/help/5050008
https://support.microsoft.com/help/5050009
https://support.microsoft.com/help/5050013
https://support.microsoft.com/help/5050021
https://support.microsoft.com/help/5050048
Original article by Chief Security Officer, if reproduced, please credit https://cncso.com/en/microsoft-outlook-zero-click-rce-vulnerability-html
