CVE-2025-21298
Published: 14 January 2025
Summary
CVE-2025-21298 is a critical-severity Use After Free (CWE-416) vulnerability in Microsoft Windows 10 1507. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-21298 is a remote code execution vulnerability in the Windows OLE component, stemming from a use-after-free flaw (CWE-416). It affects Microsoft Windows systems and carries a CVSS 3.1 score of 9.8, reflecting network-accessible exploitation with no required privileges or user interaction and full impact on confidentiality, integrity, and availability.
An unauthenticated attacker can send specially crafted network traffic or documents that trigger the flaw, allowing arbitrary code execution with the privileges of the affected process and potential full system compromise.
The primary advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21298 directs administrators to apply the corresponding Microsoft security update, which addresses the underlying memory-safety issue in OLE.
The vulnerability shows a high exploitation probability with an EPSS score of 0.7803 (peak 0.7896), indicating substantial attacker interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-2363
Vulnerability details
Windows OLE Remote Code Execution Vulnerability
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE is a remote code execution vulnerability in a Windows component allowing unauthenticated network exploitation with no user interaction, directly mapping to T1190 for exploiting public-facing applications to gain initial access. Post-exploitation, the arbitrary code execution capability facilitates T1059.001 for running commands via PowerShell or similar interpreters.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 mandates timely identification, reporting, and correction of system flaws, directly preventing exploitation of the Use After Free vulnerability in Windows OLE via vendor patches.
SI-16 implements memory protections like ASLR and DEP that directly mitigate use-after-free exploits such as CVE-2025-21298 by randomizing memory layouts and preventing code execution in data areas.
SC-7 monitors and controls communications at system boundaries to block unauthorized remote network access to the vulnerable Windows OLE component.