overview
CVE-2025-21298 is a critical zero-click vulnerability in Windows Object Linking and Embedding (OLE) technology, which allows for remote code execution (RCE) via specially crafted emails. This vulnerability has been assigned a CVSS v3.1 score of 9.8, indicating its high severity.
The flaw resides in the ole32.dll library, specifically within the UtOlePresStmToContentsStm function. This function is responsible for converting data in an "OlePres" stream within an OLE storage into appropriately formatted data and inserting it into the "CONTENTS" stream in the same storage. A proof-of-concept (PoC) demonstrating the memory corruption issue leading to this vulnerability has been made available on GitHub.
Attackers can exploit this vulnerability by sending a malicious email containing a harmful RTF document. When the victim opens or previews the email in Microsoft Outlook, the vulnerability is triggered, allowing the attacker to execute arbitrary code on the affected system.
how avertium is protecting our customers
IOCs ADDED TO OUR THREAT FEEDS
At this time, there are no known IoCs associated with successful exploitation of CVE-2025-21298. Avertium remains vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.
TTPs TO MONITOR
Tactic: Initial Access (TA0001)
- Phishing: Spearphishing Attachment (T1566.001) – Attackers may distribute malicious RTF files via email phishing campaigns to exploit the vulnerability when opened in Microsoft Outlook.
- Phishing: Malicious Link (T1566.002) – Instead of an attachment, an attacker could send a URL link that leads to a webpage hosting an RTF document, triggering the exploit when downloaded.
Tactic: Execution (TA0002)
- User Execution: Malicious File (T1204.002) – Since CVE-2025-21298 is a zero-click exploit triggered by merely previewing an email, the execution can happen without user interaction.
- Exploitation for Client Execution (T1203) – The vulnerability allows for direct remote code execution (RCE) by exploiting the Windows OLE component
Tactic: Command and Control (TA0011)
- Ingress Tool Transfer (T1105) – Attackers may download additional payloads, such as malware loaders or RATs, onto the compromised system.
- Application Layer Protocol: Web Protocols (T1071.001) – Exploited systems may establish command and control (C2) communication over HTTP/S.
- Encrypted Channel (T1573) – Threat actors may use TLS-encrypted traffic to prevent detection by network security tools.
additional recommendations + information
Apply Patches: Microsoft has released patches to address this vulnerability as part of their January 2025 Patch Tuesday updates. Users and organizations are strongly advised to apply these updates promptly to mitigate potential risks.
Configure Email Clients: For those unable to update immediately, a recommended workaround is to configure Outlook to read all standard mail in plain text format, reducing the risk of automatic exploitation.
ADDITIONAL SERVICE OFFERINGS
- Fusion MXDR is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.
- Security Information and Event Management (SIEM) - Minimizing the impact of a successful ransomware or malware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this. Avertium offers a comprehensive SIEM-based approach that increases the potential for detecting a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior.
- Avertium aligns your Cybersecurity Strategy with your business strategy, ensuring that your investment in security is also an investment in your business. Our Cybersecurity Strategy service includes:
- Strategic Security Assessments - Strengthening your security posture begins with knowing where your current program stands (NIST CSF, Security Architecture, Business Impact Analysis, Sensitive Data Inventory, Network Virtualization and Cloud Assessment).
- Threat Mapping – Leverage Avertium’s Cyber Threat Intelligence, getting a more informed view of your most likely attack scenarios (Threat Assessment and MITRE ATT&CK).
- Cyber Maturity Roadmap - Embrace a comprehensive, quantifiable, and well-organized approach to establishing and continuously enhancing your cybersecurity resilience (Policy + Procedure Development, Virtual CISO (VCISO), Training + Enablement, Tabletop Exercises, and Business Continuity + Disaster Recovery Plan).
SUPPORTING DOCUMENTATION