title: Windows OLE Remote Code Execution via Malicious RTF Document (CVE-2025-21298)
id: df00tech-cve-2025-21298
status: experimental
description: "CVE-2025-21298 is a critical (CVSS 9.8) use-after-free (CWE-416) remote code execution vulnerability in the Windows Object Linking and Embedding (OLE) subsystem. An attacker can exploit this vulnerability by sending a victim a specially crafted email containing a malicious RTF document. Simply previewing the email in Microsoft Outlook's Preview Pane is sufficient to trigger code execution — no user double-click required. The vulnerability affects all supported Windows versions (Windows 10, 11, Server 2008–2025) and is particularly dangerous in SMB environments where Outlook is the standard email client and Preview Pane is enabled by default. As a critical no-interaction RCE via a ubiquitous file format, this vulnerability is a high-priority patching target."
references:
  - https://attack.mitre.org/techniques/CVE-2025-21298/
  - https://df00tech.com/detections/CVE-2025-21298
author: df00tech
date: 2026/04/22
tags:
  - attack.cve-2025-21298
  - cve.2025-21298
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate Office automation spawning dllhost.exe via COM/OLE (tune with known-good COM object GUIDs)
  - IT scripts using Outlook COM automation (document which service accounts perform this)
  - Print-to-PDF workflows spawning splwow64.exe from Outlook (already excluded in query)
level: critical