Detect CVE-2025-21298: Windows OLE RCE via Malicious RTF Document in Elastic Security
Detects exploitation of CVE-2025-21298, a use-after-free (CWE-416) vulnerability in Windows OLE that allows remote code execution when a user opens a specially crafted RTF document. With a CVSS score of 9.8 and public PoC availability, this is a critical-severity vulnerability affecting Windows 10, 11, and Server 2008-2025. Exploitation typically involves phishing emails with RTF attachments that trigger the OLE subsystem to execute attacker-controlled code in the context of the victim user.
MITRE ATT&CK
Elastic Detection Query
sequence by host.name, process.parent.pid with maxspan=2m
[process where event.type == "start"
and process.parent.name in~ ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "wordpad.exe")
and process.name in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe")]
[any where event.category in ("file", "network", "process") and
(file.path like~ "*\\AppData\\Local\\Temp\\*" or
file.path like~ "*\\ProgramData\\*" or
network.direction == "outbound")]EQL sequence detection for CVE-2025-21298: correlates OLE host process spawning a suspicious child (within 2 minutes) followed by suspicious file writes to temp paths or outbound network connections, indicating successful RCE chain.
Data Sources
Required Tables
False Positives & Tuning
- Macro-driven business automation spawning cmd.exe for legitimate tasks
- IT deployment workflows using Office OLE embedding
- Document processing pipelines writing output to temp directories
- Add-ins making authorized outbound connections for licensing or telemetry
- Red team or penetration testing activities in authorized environments
Other platforms for CVE-2025-21298
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1RTF OLE Object Spawning CMD via WordPad
Expected signal: Sysmon EID 1: wordpad.exe spawning cmd.exe with parent-child relationship. DeviceProcessEvents in MDE showing InitiatingProcessFileName=wordpad.exe, FileName=cmd.exe.
- Test 2Simulate OLE Host Encoded PowerShell Download
Expected signal: Sysmon EID 1 with CommandLine containing '-EncodedCommand' or '-enc'. DeviceProcessEvents with ProcessCommandLine matching encoded command patterns.
- Test 3RTF File Drop to INetCache Simulating Email Attachment Open
Expected signal: Sysmon EID 11 (File Create): RTF file written to INetCache path with Outlook or Explorer as initiating process. DeviceFileEvents showing FileName ending in .rtf in INetCache path.
- Test 4OLE Host Unexpected Outbound Network Connection
Expected signal: Sysmon EID 3: Network connection event from powershell.exe (simulating Office host) to external IP on port 80. DeviceNetworkEvents showing InitiatingProcessFileName and DestinationIP for external address.
Unlock Pro Content
Get the full detection package for CVE-2025-21298 including response playbook, investigation guide, and atomic red team tests.