{“lastseen”:”2025-08-13T08:36:38″,”description”:”# \ud83d\uded1 CVE-2025-21298 \u2013 Critical Zero-Click RCE in Microsoft Windows OLE\\n\\n—\\n\\n## \ud83d\udccc Overview\\n\\n* **\ud83d\udcc2 Component:** Microsoft Windows OLE (Object Linking and Embedding) \u2013 specifically in `ole32.dll`\\n* **\ud83d\udc1e Vulnerability Type:** Double-free memory corruption\\n* **\ud83d\udccc Function Affected:** `UtOlePresStmToContentsStm`\\n* **\ud83d\udd25 Severity:** CVSS 3.1 score **9.8** \u2013 Critical\\n* **\ud83d\udcc5 Patch Release:** January 2025 Microsoft Security Updates\\n* **\ud83d\udce5 Attack Vector:** Specially crafted RTF file\\n* **\u26a0\ufe0f Interaction Required:** None (zero-click, triggered on preview)\\n* **\ud83c\udfaf Primary Targets:** Outlook users, but also Word or any OLE-capable application\\n\\n—\\n\\n## \u2699\ufe0f Technical Details\\n\\n1. **Double-Free Bug**\\n\\n * When processing an RTF file containing certain embedded OLE objects, `ole32.dll` fails to properly manage memory cleanup.\\n * The `pstmContents` pointer is freed twice under specific conditions, leading to heap corruption.\\n\\n2. **Exploitation Path**\\n\\n * An attacker crafts a malicious RTF containing payload data that manipulates OLE structures.\\n * When the victim **previews** the email in Outlook, the RTF renderer calls OLE functions.\\n * The double-free allows overwriting heap metadata or function pointers.\\n * Attacker-controlled code is executed in the context of the user \u2014 potentially SYSTEM if chained with privilege escalation.\\n\\n3. **Why It\u2019s Dangerous**\\n\\n * **Zero-click** \u2192 user doesn\u2019t need to open the file manually.\\n * **Email-borne** \u2192 can be mass-exploited.\\n * **Widespread Reach** \u2192 affects almost all supported Windows versions.\\n\\n—\\n\\n## \ud83d\udcbb Affected Systems\\n\\n* **Windows 10:** Versions 1507 \u2192 22H2\\n* **Windows 11:** Up to 24H2\\n* **Windows Server:** 2008, 2008 R2, 2012, 2012 R2, 2016, 2019, 2022, 2025\\n\\n—\\n\\n## \ud83d\udee1\ufe0f Mitigation\\n\\n1. **Install Microsoft\u2019s January 2025 patch** \u2014 fully fixes the issue.\\n2. If patching is delayed:\\n\\n * \ud83d\udcdc Configure Outlook to display all emails as **plain text**.\\n * \ud83d\udce6 Block `.rtf` attachments at the mail gateway or via endpoint policies.\\n * \ud83d\udd12 Disable preview pane for untrusted messages.\\n\\n—\\n\\n## \ud83d\udc40 Detection \\u0026 Monitoring\\n\\n* **Endpoint:** Look for processes loading `ole32.dll` when handling `.rtf` files from untrusted sources.\\n* **Network:** Monitor inbound email traffic for `.rtf` attachments with abnormal OLE object streams.\\n* **Security Tools:** Use EDR rules or Sigma detections for RTF OLE exploitation patterns.\\n\\n—\\n\\n## \ud83d\udcca Risk Summary Table\\n\\n| \ud83d\udcdd Aspect | \ud83d\udccc Details |\\n| —————— | ——————————————— |\\n| Vulnerability Type | Zero-click RCE via OLE double-free |\\n| Severity | \ud83d\udd25 CVSS 9.8 \u2013 Critical |\\n| Attack Vector | Previewing crafted RTF in Outlook \/ Word |\\n| Impact | \ud83d\udda5\ufe0f Remote code execution |\\n| Affected Systems | Windows 10, 11, Server 2008\u20132025 |\\n| Fix | \ud83d\udee1\ufe0f January 2025 Patch |\\n| Workarounds | Block RTF, plain-text emails, disable preview |\\n\\n—\\n\\n## \ud83e\udde0 Exploit Chain Diagram (Text Form)\\n\\n“`\\n\ud83d\udce9 Attacker sends crafted RTF email\\n \u2193\\n\ud83d\udcec Victim receives email in Outlook\\n \u2193\\n\ud83d\udc40 Victim previews message (no click required)\\n \u2193\\n\ud83e\udde9 RTF renderer calls OLE32.dll \u2192 double-free in UtOlePresStmToContentsStm\\n \u2193\\n\ud83d\udca5 Memory corruption \u2192 payload execution\\n \u2193\\n\ud83c\udfaf Attacker gains code execution on target system\\n“`\\n\\n—\\n\\n## \ud83d\udd77\ufe0f vulnerability:\\n\\n\\nThe vulnerability is located in `ole32.dll!UtOlePresStmToContentsStm`. The purpose of the function is ti convert data in an **\\”OlePres\\”** stream within an OLE storage into appropriately formatted data and insert it into the **\\”CONTENTS\\”** stream in the same storage. It receives an IStorage pointer to a storage object and three rather unimportant arguments.\\n\\nBelow we can see the implementation of the function with a diff from the Jan 2025 patch:\\n\\n\\n“`json\\n__int64 __fastcall UtOlePresStmToContentsStm(IStorage *pstg, wchar_t *puiStatus, __int64 a3, unsigned int *lpszPresStm)\\n{\\n struct IStorageVtbl *lpVtbl; \/\/ rax\\n int v7; \/\/ r14d\\n+ bool IsEnabled; \/\/ al\\n IStream *v10; \/\/ rcx\\n bool v11; \/\/ zf\\n struct IStorageVtbl *v12; \/\/ rax\\n int v13; \/\/ ebx\\n HRESULT v14; \/\/ eax\\n const wchar_t *v15; \/\/ rdx\\n IStream *pstmContents; \/\/ [rsp+40h] [rbp-19h] BYREF\\n IStream *pstmOlePres; \/\/ [rsp+48h] [rbp-11h] BYREF\\n tagFORMATETC foretc; \/\/ [rsp+50h] [rbp-9h] BYREF\\n tagHDIBFILEHDR hdfh; \/\/ [rsp+70h] [rbp+17h] BYREF\\n\\n *lpszPresStm = 0;\\n lpVtbl = pstg-\\u003elpVtbl;\\n pstmContents = 0LL;\\n v7 = 1;\\n \/\/ Create a \\”CONTENTS\\” stream in the storage and store it into pstmContents\\n if ( (lpVtbl-\\u003eCreateStream)(pstg, L\\”CONTENTS\\”, 18LL, 0LL, 0, \\u0026pstmContents) )\\n return 0LL;\\n \/\/ Immediately release pstmContents, we’re not going to be using it right now\\n (pstmContents-\\u003elpVtbl-\\u003eRelease)(pstmContents);\\n+ IsEnabled = wil::details::FeatureImpl::__private_IsEnabled(\\u0026`wil::Feature::GetImpl’::`2′::impl);\\n+ v10 = pstmContents;\\n+ v11 = !IsEnabled;\\n v12 = pstg-\\u003elpVtbl;\\n+ if ( !v11 )\\n+ v10 = 0LL;\\n+ pstmContents = v10;\\n (v12-\\u003eDestroyElement)(pstg, L\\”CONTENTS\\”);\\n v13 = (pstg-\\u003elpVtbl-\\u003eOpenStream)(pstg, \\u0026OlePres, 0LL, 16LL, 0, \\u0026pstmOlePres);\/\/ 2nd option to fail -\\u003e no OlePres stream\\n if ( v13 )\\n {\\n *lpszPresStm |= 1u;\\n if ( (pstg-\\u003elpVtbl-\\u003eOpenStream)(pstg, L\\”CONTENTS\\”, 0LL, 16LL, 0, \\u0026pstmContents) )\\n {\\n *lpszPresStm |= 2u;\\n }\\n else\\n {\\n (pstmContents-\\u003elpVtbl-\\u003eRelease)(pstmContents);\\n+ wil::details::FeatureImpl::__private_IsEnabled(\\u0026`wil::Feature::GetImpl’::`2′::impl);\\n }\\n return v13;\\n }\\n foretc.ptd = 0LL;\\n v13 = UtReadOlePresStmHeader(pstmOlePres, \\u0026foretc, 0LL, 0LL);\\n if ( v13 \\u003e= 0 )\\n {\\n v13 = (pstmOlePres-\\u003elpVtbl-\\u003eRead)(pstmOlePres, \\u0026hdfh, 16LL);\\n if ( v13 \\u003e= 0 )\\n {\\n v13 = OpenOrCreateStream(pstg, L\\”CONTENTS\\”, \\u0026pstmContents);\\n if ( v13 lpVtbl-\\u003eRelease)(pstmOlePres);\\n \/\/ Release pstmContents if it still exists, we need to clean up\\n if ( pstmContents )\\n (pstmContents-\\u003elpVtbl-\\u003eRelease)(pstmContents);\\n if ( foretc.ptd )\\n CoTaskMemFree(foretc.ptd);\\n if ( v13 )\\n {\\n v15 = L\\”CONTENTS\\”;\\n goto LABEL_31;\\n }\\n if ( v7 )\\n {\\n v15 = \\u0026OlePres;\\nLABEL_31:\\n (pstg-\\u003elpVtbl-\\u003eDestroyElement)(pstg, v15);\\n }\\n return v13;\\n}\\n“`\\n\\nThe problem is in the pstmContents variable. Initially it’s used to store the pointer to the \\”CONTENTS\\” stream object that’s created at the beginning of the function. The stream is immediately destroyed after being created and the pointer stored in pstmContents is released (which frees it in coml2.dll!ExposedStream::~ExposedStream). However, the variable still contains the free’d pointer. Further down in the function, the variable may be reused to store the pointer to the \\”CONTENTS\\” stream again – because of this, there’s cleanup code at the end of the function that releases the pointer in case it’s stored in the variable. The code fails to account for the fact that UtReadOlePresStmHeader may fail – if that happens, pstmContents will still point towards the free’d pointer and we’ll fall through to the cleanup code, which will release the pointer again. As such, a double-free situation will happen.\\n\\n\\n—\\n\\n\\n## \u26a0\ufe0f **Disclaimer**\\n\\nThis information about **CVE-2025-21298** is provided **strictly for educational and defensive purposes**.\\nAny attempt to exploit this vulnerability on systems without **explicit, prior, written authorization** is **illegal** and may result in **criminal charges**, civil liability, or both.\\n\\nThe goal is to help security professionals, researchers, and system administrators **understand, detect, and mitigate** the issue \u2014 **not** to encourage malicious activity.\\nAlways conduct testing in a **controlled lab environment** or on systems you fully own and control.\\n\\n”,”published”:”2025-08-09T11:24:49″,”modified”:”2025-08-09T11:33:27″,”type”:”githubexploit”,”title”:”Exploit for Use After Free in Microsoft”,”source”:””,”references”:””,”id”:”AAEE25D1-B8D4-5BC9-B294-1601F1A0ECD7″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-21298″],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/github.com\/B1ack4sh\/Blackash-CVE-2025-21298″,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-08-13T08:36:38″,”description”:”# \ud83d\uded1 CVE-2025-21298 \u2013 Critical Zero-Click RCE in Microsoft Windows OLE\\n\\n—\\n\\n## \ud83d\udccc Overview\\n\\n* **\ud83d\udcc2 Component:** Microsoft Windows OLE (Object Linking and Embedding) \u2013 specifically in…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,32,13,7,11,5],"class_list":["post-10522","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-githubexploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n