Hard on the heels of the disclosure of a denial-of-service (DoS) vulnerability in Windows LDAP, known as CVE-2024-49113 aka LDAPNightmare, another highly critical vulnerability affecting Microsoft products comes to the scene. The recently patched Microsoft Outlook vulnerability tracked as CVE-2025-21298 poses significant email security risks by allowing attackers to perform RCE on Windows devices through a specially crafted email.
Detect CVE-2025-21298 Exploitation Attempts with Free Sigma Rule from SOC Prime
In January 2025 alone, 2,560 vulnerabilities have been identified, making the beginning of the year a particularly high-risk period due to the surge in vulnerabilities under active exploitation. Notable examples include CVE-2024-49112, CVE-2024-55591, and CVE-2024-49113.
Further intensifying the urgency, CVE-2025-21298—a zero-click flaw with a 9.8 severity rating that results in remote code execution (RCE) on affected instances—has been disclosed, posing a severe threat that requires immediate action. SOC Prime Platform for collective cyber defense offers a free Sigma rule to detect exploitation attempts on time.
MS Office Drops Suspicious Files (via file_event)
This rule helps to identify systems interacting with .rtf files or other suspicious file types commonly linked to OLE exploitation, with further focus on patching hosts actively processing high-risk extensions (e.g., .rtf, .dll, .exe). The detection is compatible with multiple SIEM, EDR, and Data Lake solutions and mapped to MITRE ATT&CK, addressing Exploitation for Client Execution (T1203) technique and Phishing: Spearphishing Attachment (T1566.001) sub-technique. Additionally, the rule is enriched with extensive metadata, including CTI references, attack timelines, and more.
Security professionals seeking for more relevant content addressing the vulnerability exploitation attempts might track any new rules added to Threat Detection Marketplace with CVE-2025-21298 tag. Also, cyber defenders might access the whole detection stack aimed at proactive vulnerability exploitation detection by hitting the Explore Detections button below.
CVE-2025-21298 Analysis
CVE-2025-21298, a critical zero-click RCE vulnerability addressed in Microsoft’s latest 2025 Patch Tuesday update is rated 9.8 based on the CVSS score. The flaw can be triggered by a harmful RTF document, often sent as an attachment or link in phishing campaigns designed to lure victims into opening them.
The vulnerability exists in Windows OLE, a technology that enables the embedding and linking of documents and objects. According to Microsoft, exploitation can occur if a victim opens or previews a specially crafted email in Outlook. Attackers weaponize this flaw by sending a malicious email, and simply opening or previewing the email in Outlook can trigger RCE on the targeted system.
Defenders consider CVE-2025-21298 a major threat to organizations due to its low attack complexity and low level of user interaction. Upon successful exploitation, the vulnerability could cause full system compromise, giving attackers the green light to execute arbitrary code, install offensive software, modify or delete data, and access sensitive information.
As potential CVE-2025-21298 mitigation measures, it is imperative to apply the patch immediately, especially when it comes to email clients like Outlook. For organizations unable to install the required updates, defenders recommend using the Microsoft-provided workaround to open RTF files from unknown sources in plain text format. Rely on SOC Prime Platform for proactive vulnerability exploitation and a future-proof defense against any emerging cyber threats using a complete product suite for advanced threat detection, automated threat hunting, and intelligence-driven detection engineering.
The post CVE-2025-21298 Detection: Critical Zero-Click OLE Vulnerability in Microsoft Outlook Results in Remote Code Execution appeared first on SOC Prime.
