CVE-2014-0322

HIGH KEV

MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free

Title source: metasploit

Exploitation Summary

CVE-2014-0322 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added May 4, 2022. EIP tracks 3 public exploits from researchers including Metasploit, Jean-Jamil Khalife, Unknown, Jean-Jamil Khalife, juan vazquez, including a Metasploit module exploits/windows/browser/ms14_012_cmarkup_uaf.

AI-analyzed exploit summary This Metasploit module exploits a use-after-free vulnerability in Microsoft Internet Explorer (CVE-2014-0322) by leveraging Flash Player 12 to bypass ASLR and DEP, achieving remote code execution on Windows 7 SP1 with IE 10.

Description

Use-after-free vulnerability in Microsoft Internet Explorer 9 and 10 allows remote attackers to execute arbitrary code via vectors involving crafted JavaScript code, CMarkup, and the onpropertychange attribute of a script element, as exploited in the wild in January and February 2014.

Exploits (3)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotewindows

https://www.exploit-db.com/exploits/32904

View Code ZIP pw:eip

This Metasploit module exploits a use-after-free vulnerability in Microsoft Internet Explorer (CVE-2014-0322) by leveraging Flash Player 12 to bypass ASLR and DEP, achieving remote code execution on Windows 7 SP1 with IE 10.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Microsoft Internet Explorer 10 on Windows 7 SP1 with Flash Player 12

No auth needed

Prerequisites: Target must be using Internet Explorer 10 on Windows 7 SP1 · Flash Player 12 must be installed · Target must visit a malicious webpage

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Jean-Jamil Khalife · htmlremotewindows

https://www.exploit-db.com/exploits/32851

View Code ZIP pw:eip

This exploit leverages a use-after-free vulnerability in Internet Explorer 10 (CVE-2014-0322) by manipulating the CMarkup object. It triggers the vulnerability via a crafted HTML page with embedded Flash (AsXploit.swf) and JavaScript to achieve remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Internet Explorer 10

No auth needed

Prerequisites: Victim must visit a malicious webpage · Adobe Flash Player installed (tested with versions 12.0.0.70, 12.0.0.77)

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC NORMAL

by Unknown, Jean-Jamil Khalife, juan vazquez · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ms14_012_cmarkup_uaf.rb

View Code ZIP pw:eip

This Metasploit module exploits a use-after-free vulnerability in Microsoft Internet Explorer (CVE-2014-0322) by leveraging Flash Player 12 to bypass ASLR and DEP, achieving remote code execution on Windows 7 SP1 with IE 10.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Microsoft Internet Explorer 10 on Windows 7 SP1

No auth needed

Prerequisites: Target must be using Windows 7 SP1 with IE 10 and Flash Player 12 · Victim must visit a malicious webpage

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (12)

Core 12

Core References

Third Party Advisory, US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2014-0322

Broken Link x_refsource_misc

http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/new-ie-zero-day-found-in-watering-hole-attack-2.html

Broken Link vdb-entry x_refsource_osvdb

http://www.osvdb.org/103354

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

http://www.exploit-db.com/exploits/32851

Patch, Vendor Advisory x_refsource_confirm

http://technet.microsoft.com/security/advisory/2934088

Patch, Vendor Advisory vendor-advisory x_refsource_ms

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-012

Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn

http://www.kb.cert.org/vuls/id/732479

Press/Media Coverage x_refsource_misc

http://twitter.com/nanoc0re/statuses/434251658344673281

Broken Link, Permissions Required x_refsource_misc

http://community.websense.com/blogs/securitylabs/archive/2014/02/13/msie-0-day-exploit-cve-2014-0322-possibly-targeting-french-aerospace-organization.aspx

Broken Link, Exploit x_refsource_misc

https://www.dropbox.com/s/pyxjgycmudirbqe/CVE-2014-0322.zip

Broken Link x_refsource_misc

http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

http://www.exploit-db.com/exploits/32904

Scores

CVSS v3 8.8

EPSS 0.8512

EPSS Percentile 99.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2022-05-04

VulnCheck KEV 2014-02-14

InTheWild.io 2018-10-12

ENISA EUVD EUVD-2014-0360

CWE

CWE-416

Status published

Products (2)

microsoft/internet_explorer 9

microsoft/internet_explorer 10

Published Feb 14, 2014

KEV Added May 04, 2022

Tracked Since Feb 18, 2026