Date of Disclosure (source): January 14, 2025
CVE-2025-21298 is a critical flaw in Windows Object Linking and Embedding (OLE) technology. This issue spans a wide range of systems, from Windows Server 2008 to 2025 and Windows 10/11, impacting both server installations (including Server Core) and desktop setups. The danger is especially high for systems processing Rich Text Format (RTF) files or emails via Microsoft Outlook.
An attacker could exploit this vulnerability by crafting a malicious RTF file or email loaded with a payload. They send it to a victim, who unknowingly interacts with the file and triggers the exploit when:
- The victim opens the RTF file or email using Microsoft Outlook or another OLE-compatible application.
- The email is simply previewed in Outlook’s reading pane—no click needed.
The malicious payload embedded in the document or email executes, giving the attacker full control over the victim system. This means they can steal data, install malware, or escalate privileges without needing the victim to do much more than glance at their inbox.
Microsoft Exchange Server or Microsoft Outlook as standalone applications are not directly vulnerable because the flaw resides in Windows OLE, part of the underlying operating system.
However, Outlook becomes the gateway, as it processes the RTF files or emails that act as the delivery mechanism for the exploit.
To mitigate this vulnerability, configure Microsoft Outlook to open emails in plain text format to prevent rendering of RTF files that may include malicious OLE objects and avoid opening RTF files or email attachments from untrusted sources. For a full list of affected products and detailed remediation steps, refer to Microsoft’s Security Advisory.
| Field |
Details |
| CVE-ID |
CVE-2025-21298 – CVSS 9.8 (critical) – assigned by Microsoft |
| Vulnerability Description |
In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted email to the victim. Exploitation of the vulnerability might involve either a victim opening a specially crafted email with an affected version of Microsoft Outlook software, or a victim’s Outlook application displaying a preview of a specially crafted email . This could result in the attacker executing remote code on the victim’s machine. |
| Date of Disclosure |
January 14, 2025 |
| Affected Assets |
This vulnerability affects Windows OLE technology |
| Vulnerable Software Versions |
This vulnerability affects Windows Server products (2008 through 2025) and Windows 10/11 operating systems. The specific products affected are too long to list here, but are available in a table in Microsoft’s Security Advisory. |
| PoC Available? |
A PoC exploit is publicly available on GitHub. This is a memory corruption PoC, not an exploit, but there is an rtf file in this repository that reproduces the vulnerability. |
| Exploitation Status |
We did not observe this vulnerability on CISA’s list of known exploited vulnerabilities or in GreyNoise at the time of writing. |
| Patch Status |
Microsoft has shared security updates for each of the affected products in their Security Advisory. They additionally shared specific mitigation guidance for users of Microsoft Outlook, recommending that they read through email messages in plain text format. |
Censys Perspective
At the time of writing, Censys observed 482,270 exposed Exchange Servers and Outlook Web Access Portals. A large proportion of these (25%) are geolocated in Germany.
Note that while these exposed servers are not directly vulnerable to CVE-2025-21298 – since the flaw resides in the Windows OLE component rather than Exchange or Outlook itself – they serve as indicators of potential risk. Prioritizing the patching and hardening of systems in these environments is crucial.
Map of Exposed Exchange Server and Outlook Web Access Portals:
Censys Search Query:
services.software: (vendor = "Microsoft" and (product="Exchange Server" or product="Outlook Web Access")) and not labels: {honeypot, tarpit}
Censys ASM Query:
host.services.software: (vendor = "Microsoft" and (product="Exchange Server" or product="Outlook Web Access")) or web_entity.instances.software: (vendor = "Microsoft" and (product="Exchange Server" or product="Outlook Web Access")) and not host.labels: {honeypot, tarpit}
References
