Microsoft has addressed a severe security vulnerability (CVE-2025-21298) in Windows Object Linking and Embedding (OLE) that could allow attackers to execute malicious code without any user interaction. The critical flaw, which received a CVSS score of 9.8, was patched in Microsoft's January 2025 security updates.
The vulnerability stems from a double-free memory bug in the ole32.dll component, specifically within the UtOlePresStmToContentsStm function that handles OLE storage streams.
What makes this flaw particularly dangerous is its "zero-click" nature – simply previewing a malicious Rich Text Format (RTF) email in Microsoft Outlook can trigger the exploit, requiring no additional user action.
Security researchers have identified that the vulnerability affects a broad range of systems, including Windows Server versions from 2008 through 2025 and Windows 10/11 platforms. While Microsoft Exchange Server and Outlook themselves aren't directly vulnerable, they can serve as delivery channels for malicious RTF emails that exploit the flaw.
The technical root cause involves a pointer management issue where the pstmContents variable is released but not properly nullified, leading to a dangling pointer that references freed memory. If subsequent operations fail, the cleanup code attempts to release the same pointer again, resulting in heap corruption that attackers can exploit for arbitrary code execution.
Microsoft's patch addresses the vulnerability by explicitly nullifying the pointer after its initial release and implementing additional feature flags to improve memory management in error-handling scenarios.
Here’s the relevant change in the patch diff:
+ IsEnabled = wil::details::FeatureImpl<__WilFeatureTraits_Feature_3047977275>::__private_IsEnabled(&`wil::Feature<__WilFeatureTraits_Feature_3047977275>::GetImpl'::`2'::impl); + pstmContents = nullptr; (pstg->lpVtbl->DestroyElement)(pstg, L"CONTENTS");
The company has also introduced new security checks to prevent similar issues in the future.
Security experts recommend several immediate actions for organizations:
- Deploy the January 2025 security updates across all affected Windows systems
- Configure Outlook to display RTF files in plain text format as a temporary mitigation
- Implement advanced threat detection for monitoring email attachments
- Conduct security architecture reviews focusing on RTF document handling
- Strengthen network segmentation to limit the impact of potential compromises
It is worth noting that the proof-of-concept code is already available in public repositories, which has raised concerns about potential exploitation attempts.
Organizations with large numbers of Windows endpoints are considered prime targets, as a single compromised system with privileged access could potentially lead to broader network compromise.
Security teams are advised to monitor updates from Microsoft, CISA, and threat intelligence sources for any signs of active exploitation in the wild.