A new proof-of-concept (PoC) has been released for Microsoft Outlook zero-click remote code execution (RCE) vulnerability in Windows Object Linking and Embedding (OLE), identified as CVE-2025-21298.

The PoC demonstrates memory corruption, shedding light on the flaw’s potential for exploitation stemming from a double-free condition in the ole32.dll component, which can lead to serious security risks if left unpatched.

This flaw, which scores a staggering 9.8 on the CVSS scale, was disclosed by cybersecurity expert Matt Johansen via a thread on X, formerly known as Twitter, highlighting the severity and potential impact of the vulnerability.

Details of the Vulnerability & PoC Exploit:

The vulnerability resides within the ole32.dll file, pinpointed to a double-free error in the UtOlePresStmToContentsStm function. This function is responsible for processing embedded OLE objects within Rich Text Format (RTF) files, a common feature in Microsoft Outlook.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

CVE-2025-21298 is a critical remote code execution (RCE) vulnerability found in ole32.dll, specifically within the UtOlePresStmToContentsStm function. The vulnerability arises due to a double-free condition, leading to potential memory manipulation and remote code execution.

The issue occurs when the function improperly handles the pstmContents pointer during cleanup after it becomes a dangling pointer, referencing previously freed memory.

If the UtReadOlePresStmHeader function fails, the cleanup code inadvertently releases the memory pointer again, resulting in a double-free operation.

This flaw is especially dangerous because it is exploitable via malicious RTF files containing embedded OLE objects, which could be triggered in applications like Microsoft Word or Outlook.

The vulnerability’s CVSS score is 9.8, indicating critical severity, largely due to its zero-click nature, where attackers could craft payloads to exploit the flaw without user interaction.

A patch has been issued that explicitly sets the pstmContents pointer to NULL after it is released, preventing the double-free issue. Exploitation could potentially extend beyond RTF files to other OLE-supported formats.

According to Johansen, attackers can exploit this vulnerability simply by sending a crafted RTF file via email, which, upon previewing in Outlook, triggers the double-free condition, leading to arbitrary code execution without any user interaction.

This means that just by previewing an email, a user’s system could be compromised, allowing attackers to install malware, steal data, or escalate their privileges within the network.

The flaw affects a broad range of Microsoft Windows versions, from Windows 10 to Windows 11, and server versions from 2008 to the latest 2025.

The simplicity of the exploit, requiring merely the preview of a malicious email, underscores the urgency for users and organizations to apply the patch immediately.

In response, Microsoft has released a fix in the January 2025 patch cycle, as detailed by Johansen. The patch nullifies the pointer after it is freed and includes enhanced error-handling routines to prevent this type of memory corruption in the future.

Microsoft has urged all users to apply this update as soon as possible to mitigate the risk.

Johansen provided several recommendations for users to protect against this vulnerability:

• Patch Immediately: Users are advised to update their Windows systems with the latest security patch to close this vulnerability.
• Disable RTF Previews: For those unable to patch immediately, disabling RTF previews in Outlook is suggested as a temporary measure.
• Enhance Email Security: Implementing advanced threat detection for email attachments can provide an additional layer of security.

For those interested in a deeper technical analysis, Your can-read blog post offers a comprehensive vulnerability breakdown. Additionally, he provided a Kusto Query Language (KQL) script for threat hunting, allowing security professionals to detect signs of exploitation within their networks.

This zero-click vulnerability represents a significant risk due to its ease of exploitation and the potential for widespread damage. Microsoft’s prompt action in releasing a patch demonstrates the critical nature of the issue.

Users and organizations are strongly advised to follow the recommended actions to secure their systems against this and similar threats in the future. For more detailed information, users can refer to the original thread by Matt Johansen on X.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar