This article delves into CVE-2025–21298, a critical zero-click Remote Code Execution vulnerability affecting Windows Object Linking and Embedding (OLE). This flaw enables attackers to execute arbitrary code without user interaction. Immediate action is necessary to mitigate the risks related to this vulnerability. Affected: Windows OLE, cybersecurity sectors, and end-user devices
Keypoints :
- CVE-2025–21298 is a zero-click RCE vulnerability in Windows OLE.
- Attackers can execute arbitrary code without user interaction.
- Detection of the vulnerability was reported on February 4, 2025.
- The alert was triggered by a malicious RTF file exploiting the vulnerability.
- Network activity showed communication with a malicious IP address (84.38.130.118).
- Multiple antivirus solutions flagged the RTF file as malicious.
- The incident response included analysis using VirusTotal and Hybrid Analysis.
- Containment measures were undertaken according to SOC procedures.
- Key artifacts for investigation included a malicious ZIP file, an MD5 hash, and the SMTP address of the sender.
MITRE Techniques :
- T1203 – Exploitation for Client Execution: The RTF file was exploited through the CVE-2025–21298 vulnerability to execute arbitrary code.
- T1071 – Application Layer Protocol: The executed command from the compromised endpoint communicated with a command and control server at the identified malicious IP.
- T1047 – Windows Management Instrumentation: The use of regsvr32.exe to download and execute a script reflects the utilization of WMI for executing commands.
Indicator of Compromise :
- [IP Address] 84.38.130.118
- [Email Address] projectmanagement@pm.me
- [MD5 Hash] df993d037cdb77a435d6993a37e7750dbbb16b2df64916499845b56aa9194184
- [MD5 Hash] 961027d29dda725b8117571a6a6ca1d5
- [URL] http://84.38.130.118/shell.sct
Views: 79