CVE-2014-1761

HIGH KEV

Microsoft Word <2013 - Memory Corruption

Title source: llm

Exploitation Summary

CVE-2014-1761 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added February 15, 2022. EIP tracks 2 public exploits from researchers including Metasploit, Haifei Li, Spencer McIntyre, unknown, including a Metasploit module exploits/windows/fileformat/ms14_017_rtf.

AI-analyzed exploit summary This Metasploit module exploits CVE-2014-1761, a vulnerability in Microsoft Word that allows remote code execution via a malicious RTF file. It leverages a listoverridecount field manipulation to confuse object structures and includes a ROP chain for payload execution.

Description

Microsoft Word 2003 SP3, 2007 SP3, 2010 SP1 and SP2, 2013, and 2013 RT; Word Viewer; Office Compatibility Pack SP3; Office for Mac 2011; Word Automation Services on SharePoint Server 2010 SP1 and SP2 and 2013; Office Web Apps 2010 SP1 and SP2; and Office Web Apps Server 2013 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted RTF data, as exploited in the wild in March 2014.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubylocalwindows

https://www.exploit-db.com/exploits/32793

View Code ZIP pw:eip

This Metasploit module exploits CVE-2014-1761, a vulnerability in Microsoft Word that allows remote code execution via a malicious RTF file. It leverages a listoverridecount field manipulation to confuse object structures and includes a ROP chain for payload execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Word 2010 SP2 (v14.0.7116.5000)

No auth needed

Prerequisites: Victim must open the malicious RTF file in a vulnerable version of Microsoft Word

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1566.001 - Spearphishing Attachment

devstral-2 · analyzed Feb 18, 2026 Full analysis →

metasploit WORKING POC NORMAL

by Haifei Li, Spencer McIntyre, unknown · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/ms14_017_rtf.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2014-1761, a Microsoft Word RTF object confusion vulnerability, by crafting a malicious RTF file that triggers arbitrary code execution via a ROP chain and payload delivery.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Office 2010 SP2 (winword.exe v14.0.7116.5000)

No auth needed

Prerequisites: Vulnerable version of Microsoft Word · User interaction to open the malicious RTF file

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Patch, Vendor Advisory vendor-advisory x_refsource_ms

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-017

Patch, Vendor Advisory x_refsource_confirm

http://technet.microsoft.com/security/advisory/2953095

Third Party Advisory, US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2014-1761

Scores

CVSS v3 7.8

EPSS 0.7773

EPSS Percentile 99.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2022-02-15

VulnCheck KEV 2014-03-24

InTheWild.io 2018-10-30

ENISA EUVD EUVD-2014-1835

CWE

CWE-787

Status published

Products (11)

microsoft/office 2011

microsoft/office_compatibility_pack

microsoft/office_web_apps 2010 sp1 (2 CPE variants)

microsoft/office_web_apps_server 2013

microsoft/sharepoint_server 2010 sp1 (2 CPE variants)

microsoft/sharepoint_server 2013

microsoft/word 2003 sp3

microsoft/word 2007 sp3

microsoft/word 2010 sp1 (2 CPE variants)

microsoft/word 2013 (4 CPE variants)

... and 1 more

Published Mar 25, 2014

KEV Added Feb 15, 2022

Tracked Since Feb 18, 2026