Detect CVE-2025-21298: Windows OLE RCE via Malicious RTF Document in Google Chronicle
Detects exploitation of CVE-2025-21298, a use-after-free (CWE-416) vulnerability in Windows OLE that allows remote code execution when a user opens a specially crafted RTF document. With a CVSS score of 9.8 and public PoC availability, this is a critical-severity vulnerability affecting Windows 10, 11, and Server 2008-2025. Exploitation typically involves phishing emails with RTF attachments that trigger the OLE subsystem to execute attacker-controlled code in the context of the victim user.
MITRE ATT&CK
YARA-L Detection Query
rule cve_2025_21298_ole_rce {
meta:
author = "df00tech"
description = "Detects CVE-2025-21298 Windows OLE RCE via malicious RTF document"
severity = "CRITICAL"
priority = "HIGH"
reference = "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21298"
mitre_attack_tactic = "Initial Access, Execution"
mitre_attack_technique = "T1566.001, T1204.002"
events:
$proc.metadata.event_type = "PROCESS_LAUNCH"
$proc.principal.process.file.full_path = /(?i)(winword|excel|powerpnt|outlook|wordpad)\.exe$/
$proc.target.process.file.full_path = /(?i)(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin)\.exe$/
match:
$proc.principal.hostname over 5m
condition:
$proc
}Chronicle YARA-L rule for CVE-2025-21298: detects PROCESS_LAUNCH events where an Office/OLE host spawns a suspicious child process, indicative of RTF-triggered OLE use-after-free exploitation leading to RCE.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate Office macros that spawn shell commands for business automation
- IT management tooling using OLE embedding for software deployment
- Third-party Office add-ins that invoke command-line tools as part of normal operation
- Security testing or red team exercises using RTF-based payloads in authorized environments
- Document workflow automation that uses cmd.exe for output processing
Other platforms for CVE-2025-21298
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1RTF OLE Object Spawning CMD via WordPad
Expected signal: Sysmon EID 1: wordpad.exe spawning cmd.exe with parent-child relationship. DeviceProcessEvents in MDE showing InitiatingProcessFileName=wordpad.exe, FileName=cmd.exe.
- Test 2Simulate OLE Host Encoded PowerShell Download
Expected signal: Sysmon EID 1 with CommandLine containing '-EncodedCommand' or '-enc'. DeviceProcessEvents with ProcessCommandLine matching encoded command patterns.
- Test 3RTF File Drop to INetCache Simulating Email Attachment Open
Expected signal: Sysmon EID 11 (File Create): RTF file written to INetCache path with Outlook or Explorer as initiating process. DeviceFileEvents showing FileName ending in .rtf in INetCache path.
- Test 4OLE Host Unexpected Outbound Network Connection
Expected signal: Sysmon EID 3: Network connection event from powershell.exe (simulating Office host) to external IP on port 80. DeviceNetworkEvents showing InitiatingProcessFileName and DestinationIP for external address.
Unlock Pro Content
Get the full detection package for CVE-2025-21298 including response playbook, investigation guide, and atomic red team tests.