New Vulnerability Detected in Microsoft Outlook

A new vulnerability has been discovered in Microsoft Outlook, identified as CVE-2025-21298. This vulnerability resides in the Windows Object Linking and Embedding (OLE) system, specifically in the ole32.dll component. It is caused by a “double-free” error and enables remote code execution (RCE). As a “zero-click” vulnerability, it allows attackers to compromise a system without any user interaction.

This vulnerability was identified in the UtOlePresStmToContentsStm function of the ole32.dll component. The function is responsible for processing OLE objects in Rich Text Format (RTF) files and mishandles the pstmContents pointer. If the UtReadOlePresStmHeader function fails, the memory associated with the pstmContents pointer is freed a second time, leading to a “double-free” error.

Attackers can exploit this vulnerability by crafting malicious RTF files and sending them via email. Even if the user does not open the malicious file in Outlook or Word, simply previewing the email is enough to trigger the attack and compromise the system.

The CVE-2025-21298 vulnerability has a CVSS score of 9.8, indicating a critical level of risk. Its zero-click nature makes it particularly dangerous, as it requires no user interaction. The vulnerability affects Windows 10, Windows 11, and server versions of the operating system from 2008 to 2025.

Microsoft addressed this issue in its January 2025 security update. The patch resolves the vulnerability by setting the pstmContents pointer to NULL after memory is freed, thus preventing the “double-free” error. Additionally, error-handling procedures have been enhanced.

Microsoft’s recommendations for users:

1. Apply updates immediately. Ensure your Windows operating system is updated to the latest version, including the security patch.
2. Disable RTF previews. If updating is not immediately possible, temporarily disable the RTF preview feature in Outlook.
3. Enhance email security. Implement advanced threat detection tools for email attachments to bolster security.
4. Monitor for threats. Use the Kusto Query Language (KQL) script provided by Matt Johansen to detect signs of exploitation within your network.

The ease of exploiting this vulnerability highlights the importance of raising awareness in the field of cybersecurity. Microsoft’s swift response underscores the critical nature of the issue. Users are urged to promptly update their systems and take measures to safeguard against such threats.