CVE-2025-21298 Splunk · SPL

Detect Windows OLE Remote Code Execution via Malicious RTF Document in Splunk

CVE-2025-21298 is a critical (CVSS 9.8) use-after-free (CWE-416) remote code execution vulnerability in the Windows Object Linking and Embedding (OLE) subsystem. An attacker can exploit this vulnerability by sending a victim a specially crafted email containing a malicious RTF document. Simply previewing the email in Microsoft Outlook's Preview Pane is sufficient to trigger code execution — no user double-click required. The vulnerability affects all supported Windows versions (Windows 10, 11, Server 2008–2025) and is particularly dangerous in SMB environments where Outlook is the standard email client and Preview Pane is enabled by default. As a critical no-interaction RCE via a ubiquitous file format, this vulnerability is a high-priority patching target.

MITRE ATT&CK

Tactic
Initial Access Execution

SPL Detection Query

Splunk (SPL)
spl 
index=endpoint sourcetype IN ("XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "crowdstrike:events:sensor")
(EventCode=1 OR event_simpleName="ProcessRollup2")
(
  (
    ParentImage="*\\OUTLOOK.EXE"
    AND NOT Image IN (
      "*\\splwow64.exe", "*\\winword.exe", "*\\excel.exe",
      "*\\powerpnt.exe", "*\\msedge.exe", "*\\Teams.exe"
    )
    AND NOT Image="*\\mso*.exe"
  )
  OR
  (
    ParentImage IN ("*\\dllhost.exe", "*\\svchost.exe")
    AND Image IN ("*\\cmd.exe", "*\\powershell.exe", "*\\wscript.exe",
                  "*\\cscript.exe", "*\\mshta.exe", "*\\certutil.exe")
    AND (ParentCommandLine="*-Embedding*" OR ParentCommandLine="*ole*")
  )
)
| eval CVE="CVE-2025-21298"
| eval ThreatType=case(
    ParentImage="*\\OUTLOOK.EXE", "Outlook-Unexpected-Child-Process",
    ParentImage="*\\dllhost.exe", "OLE-COM-Suspicious-Child",
    true(), "Unknown"
  )
| stats count AS ProcessEvents,
        values(Image) AS ChildProcesses,
        values(CommandLine) AS CommandLines,
        values(ParentImage) AS ParentProcesses
  BY host, user, CVE, ThreatType, _time span=1h
| where ProcessEvents >= 1
| table _time, host, user, ThreatType, ChildProcesses, CommandLines, ParentProcesses, CVE
| sort - ProcessEvents
critical severity high confidence

Detects CVE-2025-21298 exploitation by monitoring for unexpected child processes from OUTLOOK.EXE (Preview Pane trigger) or scripting engines spawned by OLE/COM hosts (dllhost.exe with -Embedding flag). The -Embedding flag indicates an OLE in-process server activation, which is the execution path for CVE-2025-21298.

Data Sources

Sysmon (Event ID 1 — process creation)CrowdStrike Falcon process telemetry

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Legitimate Outlook plugins that spawn helper processes
  • COM automation scripts invoked by IT management tools
Download portable Sigma rule (.yml)

Other platforms for CVE-2025-21298

Microsoft Sentinel (KQL) All platforms (combined) →

Testing Methodology

Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate OLE object spawn from Outlook Preview Pane

    Expected signal: Sysmon Event ID 1 — unexpected process (cmd.exe or payload) with ParentImage=OUTLOOK.EXE triggered by email preview.

Last updated: 2026-04-22 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2025-21298 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1566.001Spearphishing Attachment

Related Techniques

T1566.001Spearphishing AttachmentT1203Exploitation for Client ExecutionT1559.001Component Object ModelT1059Command and Scripting Interpreter

Same Tactic: Initial Access

Popular Detections