Interesting Stuff

Let’s Defend: 314 — SOC336 — Windows OLE Zero-Click RCE Exploitation Detected (CVE-2025–21298)

CTI
Let’s Defend: 314 — SOC336 — Windows OLE Zero-Click RCE Exploitation Detected (CVE-2025–21298)

The SOC investigated a Windows OLE zero-click remote code execution exploiting CVE-2025-21298 delivered via a malicious RTF attachment (mail.rtf, hash df993d037cdb77a435d6993a37e7750dbbb16b2df64916499845b56aa9194184) that resulted in a connection to a suspected C2 at 84[.]38.130.118. The endpoint was contained and escalated to Tier 2, with recommendations to apply January 2025 patches, disable RTF/OLE rendering in Outlook, implement email filtering, and monitor endpoints. #CVE-2025-21298 #LetsDefend

Keypoints

  • Alert: Windows OLE Zero-Click RCE detected (CVE-2025-21298) triggered by a malicious RTF attachment identified by rule SOC336.
  • Delivery: Malicious RTF (.rtf) with embedded OLE object was distributed via email from [email protected] and previewing in Outlook triggers code execution without user clicks.
  • Indicators: Attachment hash df993d037cdb77a435d6993a37e7750dbbb16b2df64916499845b56aa9194184 and C2 IP 84[.]38.130.118 were identified via VirusTotal and MXToolbox (blacklist hits).
  • Timeline: The C2 address was contacted before the alert, suggesting initial access occurred prior to detection and the device allowed the connection.
  • Response: The compromised host was isolated, Tier 2 escalation was performed for deeper investigation and restoration, and the SOC documented findings in an Analyst Note and closed the ticket as a true positive.
  • Mitigations: Apply Microsoft January 2025 patches, configure Outlook to plain text/disable OLE, block or sandbox .rtf attachments, monitor for Office crashes/anomalous processes, and train users to report suspicious attachments.

MITRE Techniques

  • [T1566.001 ] Spearphishing Attachment – Phishing campaigns delivered malicious RTF attachments containing an OLE object to deliver the exploit (‘Commonly abused in phishing campaigns via RTF attachments or malicious links.’)
  • [T1203 ] Exploitation for Client Execution – Vulnerability in Windows OLE allowed arbitrary code execution when the RTF was previewed in Outlook, enabling zero-click remote execution (‘Simply previewing or opening it in Outlook triggers arbitrary code execution, no clicks needed.’)
  • [T1071 ] Application Layer Protocol – The compromised host established outbound communication to a command-and-control server at 84[.]38.130.118, confirmed by VirusTotal and blacklist checks (‘this address is analyzed … shows a comment about its work as C2 address.’)

Read more: https://medium.com/@exeepereda/lets-defend-314-soc336-windows-ole-zero-click-rce-exploitation-detected-cve-2025-21298-8e5aa721e64b

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint