CVE-2025-21298: Windows OLE Remote Code Execution Vulnerability

CVE-2025-21298 is a critical vulnerability present in the windows OLE that enables a remote code execution with a CVSS severity of 9.8. Object Linking and Embedding (OLE) is a proprietary technology developed by Microsoft that allows embedding and linking to documents and objects.

This vulnerability can be exploited by attackers through specially crafted emails sent to users of Microsoft Outlook. The flaw can be triggered by sending the initial payload i.e. RTF document which is embedded with the malicious code. Simply opening or previewing the malicious document can trigger arbitrary code execution on the victim's system, which results in downloading the high-profile payload which potentially grants the attacker unauthorised control.

This is a major threat for the organisations as attackers normally trigger this vulnerability by crafting phishing emails and lure the victims to click on the attachment. Upon successful opening of the malicious document, it executes a PowerShell command in the background which downloads a payload onto the victim’s system that ultimately provides the control to the attacker.

Recommendation:

Microsoft has released a security update to address this vulnerability. Organisations and users are strongly encouraged to install it as soon as possible to protect against potential attacks.

Also, those that can’t install they can use Microsoft’s workaround to open the attachment in the plain text to minimise the risk.

Workarounds:

- Use Microsoft Outlook to reduce the risk of users opening RTF Files from unknown or untrusted sources
- To help protect against this vulnerability, we recommend users read email messages in plain text format. For guidance on how to configure Microsoft Outlook to read all standard mail in plain text, please refer to Read email messages in plain text.

Impact of workaround: 

Email messages that are viewed in plain text format will not contain pictures, specialised fonts, animations, or other rich content. Because the message is still in Rich Text or HTML format in the store, the object model (custom code solutions) may behave unexpectedly.

Reference:

CVE-2025-21298 - Security Update Guide - Microsoft - Windows OLE Remote Code Execution Vulnerability

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.