Alert essentials:
A critical Windows vulnerability allows remote code execution with a specially crafted email in Microsoft Outlook.
User interaction is not required, so security patches should be deployed as soon as possible.
Detailed threat description:
Technology developed to allow the insertion and linking of documents and other items has been found to have a critical weakness.
Microsoft’s Windows Object Linking and Embedding Technology (OLE) enables ingraining components into an application other than the one used for creation, such as inserting an Excel spreadsheet into a Word document.
A critical remote code execution vulnerability with a cvss score of 9.8 has been found in OLE. While traditional phishing tricks can be utilized in potential attacks, actual exploitation of this weakness can also be achieved by viewing the malicious email in the preview pane of a user’s application.
If a maliciously crafted email is opened or previewed in Microsoft Outlook, the embedded OLE object can trigger remote code execution on the victim’s machine. This dangerous zero-click attack can be exploited without any user interaction beyond receiving an email.
There are no known exploits currently. However, hackers frequently leverage OLE technology in campaigns, so apply patches before they weaponize the flaw.
Workarounds are available if patches must be deployed during a delay.
Workarounds:
- Configure Microsoft Outlook to display emails in plain text format to reduce the risk of triggering malicious OLE objects
- Be cautious of emails containing Rich Text Format (RTF) attachments or content from unknown senders
- Restrict user permissions to limit the impact of successful exploitation
Impacts on healthcare organizations:
Exploiting this remote code execution in a healthcare network would have severe impacts. Hackers who utilize this weakness in attacks on numerous systems across the organization could cause data breaches, compliance violations, and system compromise.
Additionally, a successful attack could erode patient trust and damage the healthcare provider’s reputation, potentially leading to long-term consequences for the organization.
Healthcare providers should prioritize patching this vulnerability and conduct employee training on the risks of opening suspicious emails or attachments, particularly from unknown sources.
Affected Products / Versions:
| Operating System |
|---|
| Windows 10 for 32-bit Systems |
| Windows 10 for x64-based Systems |
| Windows 10 Version 1607 for 32-bit Systems |
| Windows 10 Version 1607 for x64-based Systems |
| Windows 10 Version 1809 for 32-bit Systems |
| Windows 10 Version 1809 for x64-based Systems |
| Windows 10 Version 21H2 for 32-bit Systems |
| Windows 10 Version 21H2 for ARM64-based Systems |
| Windows 10 Version 21H2 for x64-based Systems |
| Windows 10 Version 22H2 for 32-bit Systems |
| Windows 10 Version 22H2 for ARM64-based Systems |
| Windows 10 Version 22H2 for x64-based Systems |
| Windows 11 Version 22H2 for ARM64-based Systems |
| Windows 11 Version 22H2 for x64-based Systems |
| Windows 11 Version 23H2 for ARM64-based Systems |
| Windows 11 Version 23H2 for x64-based Systems |
| Windows 11 Version 24H2 for ARM64-based Systems |
| Windows 11 Version 24H2 for x64-based Systems |
| Windows Server 2008 for 32-bit Systems Service Pack 2 |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) |
| Windows Server 2008 for x64-based Systems Service Pack 2 |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) |
| Windows Server 2012 |
| Windows Server 2012 (Server Core installation) |
| Windows Server 2012 R2 |
| Windows Server 2012 R2 (Server Core installation) |
| Windows Server 2016 |
| Windows Server 2016 (Server Core installation) |
| Windows Server 2019 |
| Windows Server 2019 (Server Core installation) |
| Windows Server 2022 |
| Windows Server 2022 (Server Core installation) |
| Windows Server 2022, 23H2 Edition (Server Core installation) |
| Windows Server 2025 |
| Windows Server 2025 (Server Core installation) |
CVEs
CVE-2025-21298 – CWE-416 – (CVSS 9.8)
KBs
5049981, 5049983, 5049984, 5049993, 5050004, 5050006, 5050008, 5050009, 5050013, 5050021, 5050048, 5050049, 5050061, 5050063
Recommendations
Engineering recommendations:
- Apply available security patches as soon as possible
- Configure a workaround if patching is to be delayed
- Monitor network traffic for suspicious activity, particularly focusing on incoming emails with attachments or embedded OLE objects
- Enable protected view in Microsoft Office applications
- Disable macros in Office unless required
- Educate users about the risks of opening suspicious emails or attachments, especially those from unknown sources
- Tenable plugins are available for investigation:
| Tenable Plugin | KB Number | Description |
|---|---|---|
| 214129 | KB5050061 | Windows Server 2008 Security Update (January 2025) |
| 214112 | KB5050006 | Windows Server 2008 R2 Security Update (January 2025) |
| 214125 | KB5050013 | Windows 10 LTS 1507 Security Update (January 2025) |
| 214135 | KB5050048 | Windows Server 2012 R2 Security Update (January 2025) |
| 214111 | KB5050004 | Windows Server 2012 Security Update (January 2025) |
| 214121 | KB5049981 | Windows 10 version 21H2 / Windows 10 Version 22H2 Security Update (January 2025) |
| 214123 | KB5049993 | Windows 10 Version 1607 / Windows Server 2016 Security Update (January 2025) |
| 214124 | KB5050009 | Windows 11 Version 24H2 / Windows Server 2025 Security Update (January 2025) |
| 214122 | KB5049983 | Windows Server 2022 / Azure Stack HCI 22H2 Security Update (January 2025) |
| 214115 | KB5050008 | Windows 10 version 1809 / Windows Server 2019 Security Update (January 2025) |
| 214110 | KB5050021 | Windows 11 version 22H2 / Windows 11 version 23H2 Security Update (January 2025) |
| 214136 | KB5049984 | Windows 11 version 22H2 / Windows Server version 23H2 Security Update (January 2025) |
Leadership/ Program recommendations:
- Invest in robust endpoint protection solutions. These can help detect and prevent potential exploitation attempts
- Review and update security policies
- Enhance network segmentation to limit the potential spread of an attack if a system is compromised
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
References:
- CVE.org: https://www.cve.org/CVERecord?id=CVE-2025-21298
- Microsoft Plaint text: https://support.microsoft.com/en-us/office/read-email-messages-in-plain-text-16dfe54a-fadc-4261-b2ce-19ad072ed7e3
- NIST: https://nvd.nist.gov/vuln/detail/CVE-2025-21298
- Tenable plugins: https://www.tenable.com/plugins/search?q=%222025-21298%22&sort=&page=1
- Windows OLE Remote Code Execution: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21298
