Detect CVE-2025-21298: Windows OLE RCE via Malicious RTF Document in Sumo Logic CSE
Detects exploitation of CVE-2025-21298, a use-after-free (CWE-416) vulnerability in Windows OLE that allows remote code execution when a user opens a specially crafted RTF document. With a CVSS score of 9.8 and public PoC availability, this is a critical-severity vulnerability affecting Windows 10, 11, and Server 2008-2025. Exploitation typically involves phishing emails with RTF attachments that trigger the OLE subsystem to execute attacker-controlled code in the context of the victim user.
MITRE ATT&CK
Sumo Detection Query
_sourceCategory=windows/sysmon OR _sourceCategory=windows/security
| where EventID in ("1", "11", "3")
| parse field=ParentImage "*" as parent_process nodrop
| parse field=Image "*" as child_process nodrop
| parse field=CommandLine "*" as command_line nodrop
| parse field=TargetFilename "*" as target_file nodrop
| where (
matches(toLowerCase(parent_process), ".*winword\.exe|.*excel\.exe|.*powerpnt\.exe|.*outlook\.exe|.*wordpad\.exe")
and (
matches(toLowerCase(child_process), ".*cmd\.exe|.*powershell\.exe|.*wscript\.exe|.*cscript\.exe|.*mshta\.exe|.*rundll32\.exe|.*regsvr32\.exe|.*certutil\.exe")
or matches(toLowerCase(command_line), ".*(invoke-expression|iex|downloadstring|webclient|-encodedcommand|-enc|bypass|http://|https://).*")
or matches(toLowerCase(target_file), ".*(appdata\\local\\temp|appdata\\roaming|programdata).*")
)
)
| eval detection_category = if(
matches(toLowerCase(child_process), ".*cmd\.exe|.*powershell\.exe"), "Suspicious child spawned by OLE host",
if(matches(toLowerCase(command_line), ".*(invoke-expression|downloadstring|-enc).*"), "Encoded/download command from OLE host",
if(matches(toLowerCase(target_file), ".*(temp|roaming|programdata).*"), "Suspicious file write by OLE host",
"OLE anomaly")))
| count by _messageTime, Computer, User, parent_process, child_process, command_line, target_file, detection_category
| sort by _messageTime descSumo Logic query for CVE-2025-21298: parses Sysmon and Windows Security events to detect OLE host processes (Office applications, WordPad) spawning suspicious child processes, executing encoded commands, or creating files in sensitive paths.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate Office macros spawning cmd.exe for business workflows
- Add-ins or plug-ins that write temp files as part of normal function
- IT management scripts that invoke shell commands via Office OLE
- Security tools conducting authorized simulations using RTF payloads
- Document processing automation writing output to AppData or ProgramData
Other platforms for CVE-2025-21298
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1RTF OLE Object Spawning CMD via WordPad
Expected signal: Sysmon EID 1: wordpad.exe spawning cmd.exe with parent-child relationship. DeviceProcessEvents in MDE showing InitiatingProcessFileName=wordpad.exe, FileName=cmd.exe.
- Test 2Simulate OLE Host Encoded PowerShell Download
Expected signal: Sysmon EID 1 with CommandLine containing '-EncodedCommand' or '-enc'. DeviceProcessEvents with ProcessCommandLine matching encoded command patterns.
- Test 3RTF File Drop to INetCache Simulating Email Attachment Open
Expected signal: Sysmon EID 11 (File Create): RTF file written to INetCache path with Outlook or Explorer as initiating process. DeviceFileEvents showing FileName ending in .rtf in INetCache path.
- Test 4OLE Host Unexpected Outbound Network Connection
Expected signal: Sysmon EID 3: Network connection event from powershell.exe (simulating Office host) to external IP on port 80. DeviceNetworkEvents showing InitiatingProcessFileName and DestinationIP for external address.
Unlock Pro Content
Get the full detection package for CVE-2025-21298 including response playbook, investigation guide, and atomic red team tests.