CVE-2025-21298

CRITICAL

Windows 10 1507-22H2, Windows 11 22H2-24H2, Windows Server 2008-2012 - Remote Code Execution via OLE Use-After-Free

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 8 public exploits for CVE-2025-21298. PoCs published by ynwarcs, fy-poc, Denyningbow.

AI-analyzed exploit summary This is a proof-of-concept for CVE-2025-21298, a Windows OLE Remote Code Execution Vulnerability. The exploit demonstrates a memory corruption issue in `ole32.dll!UtOlePresStmToContentsStm` leading to a double-free situation.

Description

Windows OLE Remote Code Execution Vulnerability

Exploits (8)

nomisec WORKING POC 195 stars
by ynwarcs · poc
https://github.com/ynwarcs/CVE-2025-21298

This is a proof-of-concept for CVE-2025-21298, a Windows OLE Remote Code Execution Vulnerability. The exploit demonstrates a memory corruption issue in `ole32.dll!UtOlePresStmToContentsStm` leading to a double-free situation.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows OLE (ole32.dll)
No auth needed
Prerequisites: A system with vulnerable version of ole32.dll · An application that parses RTF data with embedded OLE objects
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP 1 stars
by fy-poc · poc
https://github.com/fy-poc/full-poc-CVE-2025_21298

The repository contains a writeup describing CVE-2025-21298, a Use After Free vulnerability in Microsoft Windows' OLE technology, specifically in the UtOlePresStmToContentsStm function within ole32.dll. Exploitation occurs via malicious RTF files, leading to potential remote code execution.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Theoretical
Target: Microsoft Windows (OLE technology, ole32.dll)
No auth needed
Prerequisites: Malicious RTF file · User interaction (opening the file)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP 1 stars
by Denyningbow · poc
https://github.com/Denyningbow/rtf-ctf-cve-2025-21298

This repository provides a safe CTF challenge demonstrating RTF-based OLE exploits, specifically CVE-2025-21298, without any malicious payload. It guides users to extract a hidden flag from an embedded OLE object using tools like oletools.

Classification
Writeup 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: RTF files with embedded OLE objects
No auth needed
Prerequisites: Python 3 · oletools
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by Dit-Developers · poc
https://github.com/Dit-Developers/CVE-2025-21298

This repository contains a proof-of-concept for CVE-2025-21298, a Windows OLE Remote Code Execution Vulnerability (CVSS 9.8). The vulnerability is a memory corruption issue in `ole32.dll!UtOlePresStmToContentsStm` due to a double-free situation, which Microsoft patched by setting `pstmContents` to zero after releasing the pointer.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows (ole32.dll)
No auth needed
Prerequisites: A target system running an unpatched version of Windows vulnerable to CVE-2025-21298 · An application that parses RTF data (e.g., MS Word, Outlook)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WRITEUP
by abc1230940 · poc
https://github.com/abc1230940/SOC336-Windows-OLE-Zero-Click-RCE-Exploitation-Detected-CVE-2025-21298

This repository provides a detailed technical analysis of a phishing attack leveraging CVE-2025-21298, a Windows OLE Zero-Click RCE vulnerability. It includes forensic evidence, log analysis, and process trees showing how the exploit chain unfolds from a malicious RTF attachment to command execution via regsvr32.exe.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows (OLE/Outlook)
No auth needed
Prerequisites: Phishing email with malicious RTF attachment · User interaction (opening email)
devstral-2 · analyzed May 27, 2026 Full analysis →
nomisec WRITEUP
by C-G-creator · poc
https://github.com/C-G-creator/LetsDefend-SOC336-Windows-OLE-Zero-Click-RCE-Exploitation-Detected-CVE-2025-21298

This repository provides a detailed SOC case study documenting the investigation of a Windows OLE zero-click RCE exploit (CVE-2025-21298) delivered via a malicious RTF attachment. It includes email triage, attachment analysis, threat intel correlation, endpoint activity review, and containment steps.

Classification
Writeup 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Windows OLE
No auth needed
Prerequisites: malicious RTF attachment · email delivery
devstral-2 · analyzed May 11, 2026 Full analysis →
nomisec WRITEUP
by tarunbharathe · poc
https://github.com/tarunbharathe/Zero-Click-RCE-Incident-Response-CVE-2025-21298

This repository provides a detailed incident response analysis of CVE-2025-21298, a Windows OLE Zero-Click RCE vulnerability. It includes forensic evidence, IOCs, and mitigation steps but does not contain functional exploit code.

Classification
Writeup 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Theoretical
Target: Windows OLE (specific version not specified)
No auth needed
Prerequisites: Weaponized RTF file · Network access to C2 server
devstral-2 · analyzed Mar 24, 2026 Full analysis →
github WRITEUP
by Arkha-Corvus · poc
https://github.com/Arkha-Corvus/LetsDefend-SOC336-Windows-OLE-Zero-Click-RCE-Exploitation-Detected-CVE-2025-21298-

This repository provides a detailed technical analysis of a Windows OLE zero-click RCE exploitation (CVE-2025-21298) delivered via a malicious RTF file. It includes investigation steps, screenshots, and a breakdown of the attack chain involving regsvr32.exe and scrobj.dll for fileless malware execution.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Windows OLE (specific version not specified)
No auth needed
Prerequisites: Victim opens malicious RTF file · Network access to attacker-controlled server
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1
Core References
Patch, Vendor Advisory vendor-advisory patch
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21298

Scores

CVSS v3 9.8
EPSS 0.7803
EPSS Percentile 99.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-416
Status published
Products (42)
Microsoft/Windows 10 Version 1507 10.0.10240.0 - 10.0.10240.20890
Microsoft/Windows 10 Version 1607 10.0.14393.0 - 10.0.14393.7699
Microsoft/Windows 10 Version 1809 10.0.17763.0 - 10.0.17763.6775
Microsoft/Windows 10 Version 21H2 10.0.19044.0 - 10.0.19044.5371
Microsoft/Windows 10 Version 22H2 10.0.19045.0 - 10.0.19045.5371
Microsoft/Windows 11 version 22H2 10.0.22621.0 - 10.0.22621.4751
Microsoft/Windows 11 version 22H3 10.0.22631.0 - 10.0.22631.4751
Microsoft/Windows 11 Version 23H2 10.0.22631.0 - 10.0.22631.4751
Microsoft/Windows 11 Version 24H2 10.0.26100.0 - 10.0.26100.2894
Microsoft/Windows Server 2008 R2 Service Pack 1 6.1.7601.0 - 6.1.7601.27520
... and 32 more
Published Jan 14, 2025
Tracked Since Feb 18, 2026