Windows OLE Use-After-Free — Outlook Preview-Pane RCE With No User Interaction (CVE-2025-21298)
A use-after-free in Windows OLE allows remote code execution when Outlook previews a specially crafted email — no clicks required. Apply the January 2025 cumulative update, or configure Outlook to render messages as plain text until patched.
An attacker who can email the victim — internal user, external phisher, or any inbox-spam path — can execute code in the user's context the moment Outlook previews the message. On a server where Outlook is installed (e.g. a jump host, RDS session host with Office, or admin workstation accessed via remote console), this is a path to interactive code execution with the privileges of whatever account is signed in. On RDS deployments this typically yields a foothold inside the broader environment.
A use-after-free vulnerability in Windows OLE is triggered when Outlook automatically parses a crafted RTF-encoded email in the reading pane. The flaw lets a remote attacker corrupt heap memory and ultimately execute arbitrary code in the user's context. Affected: Windows 10/11 and Windows Server 2008 SP2 through Windows Server 2025, prior to the January 2025 Patch Tuesday. Microsoft rates exploitation "More Likely" because the trigger is automatic email preview — the attacker only needs the victim's mailbox to receive the message.
Probably yes if any of these apply:
Affected OS versions
CVE-2025-21298 was reported by an anonymous researcher and patched in the January 2025 Patch Tuesday rollup. Microsoft's only pre-patch workaround was configuring Outlook to display messages as plain text — a setting most enterprises cannot deploy without serious user complaints. Multiple security firms published technical analyses within days; a working PoC that triggers controlled heap corruption was demonstrated publicly. The wormable, no-click delivery path makes this comparable to historical Outlook/MSHTML preview-pane bugs.
Manual remediation steps
⏱ 30–60 minutes including rebootWorkaround until patched — Outlook plain-text reading
# Force Outlook to read messages as plain text (per-user setting).
# Substitute the correct Office version in the registry path (16.0 for current).
New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Outlook\Options\Mail" -Force
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Outlook\Options\Mail" `
-Name "ReadAsPlain" -Value 1 -Type DWord
# Users must restart Outlook for the setting to take effect.
Group Policy deployment of the workaround
# Office Group Policy Templates → Microsoft Outlook → Outlook Options →
# Preferences → E-mail Options → "Read all standard mail in plain text" = Enabled
Apply the January 2025 cumulative update
CVE-2025-21298 to find the current superseding cumulative for your OSVerify
# Confirm the OLE binary is patched:
(Get-Item C:\Windows\System32\ole32.dll).VersionInfo.FileVersion
# After verification, remove the plain-text workaround if applied.
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.
References