A critical security flaw, identified as CVE-2025-21298, has been disclosed in Microsoft’s Windows Object Linking and Embedding (OLE) technology.
This zero-click vulnerability, which carries a CVSS score of 9.8, allows attackers to execute arbitrary code remotely by exploiting Microsoft Outlook and other applications.
The flaw has raised alarms across the cybersecurity community due to its severity and ease of exploitation. CVE-2025-21298 is a remote code execution (RCE) vulnerability stemming from a memory corruption issue in the ole32.dll library.
Specifically, the flaw resides in the UtOlePresStmToContentsStm function, which processes OLE objects embedded in Rich Text Format (RTF) files.
Attackers can exploit this vulnerability by sending a malicious email containing an RTF attachment. Simply opening or previewing the email in Microsoft Outlook triggers the vulnerability, enabling attackers to execute arbitrary code without…