CVE-2025-21298

Published Jan 14, 2025

Last updated 3 days ago

CVSS critical 9.8

Insights

Analysis from the Intruder Security Team
Published Jan 15, 2025

CVE-2025-21298 allows attackers to execute code by sending a malicious RTF email. The exploit triggers when the email is opened or previewed in an unpatched Outlook client, requiring no user interaction beyond viewing the message. To mitigate the risk, apply Microsoft's patch immediately, or as a temporary measure, disable RTF reading and configure Outlook to display emails in plain text.

Overview

Description
Windows OLE Remote Code Execution Vulnerability
Source
secure@microsoft.com
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

secure@microsoft.com
CWE-416

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

1

  1. 微软警告用户:Microsoft Outlook 存在新的“严重”漏洞 黑客利用 Outlook 电子邮件客户端传播恶意软件非常容易。微软已经发布了针对 CVE-2025-21298 用户释放后漏洞的补丁,并敦促用户立即应用该补丁。 https://t.co/BNYwDQCkG3

    @alexwangsir

    17 Jan 2025

    24 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Keep calm and continue mailing, Microsoft Patches #Outlook Zero-Click: CVE-2025-21298 Exploits RCE via Emails. Stay informed about critical vulnerability (CVE-2025-21298, CVSS 9.8) in Microsoft Outlook. Great Job 🔒 https://t.co/KA0mOEsRxc

    @byt3n33dl3

    17 Jan 2025

    15 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  3. 9.8 Outlook vulnerability. CVE-2025-21298. Will issue fuller details to clients via a Client Warning newsletter.

    @Spotlink

    16 Jan 2025

    9 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. ⚠️ CVE-2025-21298 - Windows OLE Remote Code Execution Vulnerability CVSS:3.1 9.8 / 8.5 This is a critical vulnerability, patch ASAP! Found by @thezdi 👏🏼 ➡️ https://t.co/KpC90gwAck

    @javutin

    16 Jan 2025

    40 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. Microsoft has issued a critical security patch for CVE-2025-21298, a zero-click remote code execution vulnerability in Outlook that can be exploited simply by receiving a malicious email. With a CVSS score of 9.8, the flaw poses a significant risk to users, emphasizing the urg...

    @CybrPulse

    16 Jan 2025

    117 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  6. 🚨 CVE Alert: Critical Microsoft Windows OLE Remote Code Execution Vulnerability🚨 Vulnerability Details: CVE-2025-21298 (CVSS 9.8/10) Microsoft Windows OLE Remote Code Execution Vulnerability Impact A successful exploit May allows remote attackers to execute arbitrary code on…

    @CyberxtronTech

    16 Jan 2025

    155 Impressions

    1 Retweet

    1 Like

    1 Bookmark

    0 Replies

    0 Quotes

  7. Microsoft Patches Outlook Zero-Click: CVE-2025-21298 Exploits RCE via Emails https://t.co/oP0ioFlyZE

    @Dinosn

    16 Jan 2025

    2735 Impressions

    13 Retweets

    28 Likes

    10 Bookmarks

    0 Replies

    0 Quotes

  8. Microsoft Patches Outlook Zero-Click: CVE-2025-21298 Exploits RCE via Emails Stay informed about the latest critical vulnerability (CVE-2025-21298, CVSS 9.8) in Microsoft Outlook. Learn about the high-risk nature and implications for email security https://t.co/cwvuFdkk5c

    @the_yellow_fall

    16 Jan 2025

    1303 Impressions

    3 Retweets

    29 Likes

    8 Bookmarks

    0 Replies

    0 Quotes

  9. CVE-2025-21298 Windows OLE Remote Code Execution Vulnerability. https://t.co/nxePiYs6F8 https://t.co/64KPWD4Xrv

    @nflatrea

    15 Jan 2025

    134 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. 🚨 Critical Windows OLE Remote Code Execution Vulnerability - CVE-2025-21298. Please see the @ncsc_gov_ie advisory for more details: https://t.co/KfjDN9MYZh

    @ncsc_gov_ie

    15 Jan 2025

    402 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. 今月気になるのは、悪用されそうなWindows OLEのRCE(CVE-2025-21298)や、Remote Desktop Gatewayの認証無しRCE(CVE-2025-21297、CVE-2025-21309)(ただしrace conditionなので難易度高)あたりです。 The January 2025 Security Update Review https://t.co/fKEOFMtBoc

    @autumn_good_35

    15 Jan 2025

    645 Impressions

    0 Retweets

    2 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  12. Microsoft has just given a critical security vulnerability disclosure, known as CVE-2025-21298, to the Windows Object Linking and Embedding (OLE) that could remotely execute code via specially crafted emails. This "Use After Free" vulnerability has a CVSS score of 9.8, which… ht

    @MatterIdentity

    15 Jan 2025

    200 Impressions

    0 Retweets

    3 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. ❗️ #CERTWarnung ❗️ Am gestrigen Patchday veröffentlichte Microsoft Infos zu verschiedenen Schwachstellen. Besonderes Bedrohungspotenzial stellt aus Sicht von @certbund dabei CVE-2025-21298 dar: https://t.co/oWt7ynbZtg

    @certbund

    15 Jan 2025

    2746 Impressions

    9 Retweets

    22 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  14. 【セキュリティ ニュース】2025年最初のMS月例パッチ - ゼロデイ脆弱性など158件を修正(1ページ目 / 全3ページ):Security NEXT https://t.co/CuqktB9KVp 『CVSS基本値が「9.0」以上とされる脆弱性3件を具体的に見ると、「Windows OLE」に関する「CVE-2025-21298」、「Windows Reliable Multicast… https://t.co/L2YmbMe3LA

    @taku888infinity

    15 Jan 2025

    33 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References