CVE-2014-4076

Exploitation Summary

CVE-2014-4076 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 5 public exploits from researchers including Tomislav Paskalev, KoreLogic, fungoshacks, including a Metasploit module exploits/windows/local/ms14_070_tcpip_ioctl.

AI-analyzed exploit summary This is a functional privilege escalation exploit for CVE-2014-4076, targeting Windows 2003 SP2 x86. It leverages a vulnerability in the TCP/IP stack's IOCTL handling to execute arbitrary code in kernel mode, spawning a SYSTEM-level command shell.

Description

Microsoft Windows Server 2003 SP2 allows local users to gain privileges via a crafted IOCTL call to (1) tcpip.sys or (2) tcpip6.sys, aka "TCP/IP Elevation of Privilege Vulnerability."

Exploits (5)

exploitdb WORKING POC

by Tomislav Paskalev · clocalwindows

https://www.exploit-db.com/exploits/37755

View Code ZIP pw:eip

This is a functional privilege escalation exploit for CVE-2014-4076, targeting Windows 2003 SP2 x86. It leverages a vulnerability in the TCP/IP stack's IOCTL handling to execute arbitrary code in kernel mode, spawning a SYSTEM-level command shell.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Windows 2003 SP2 x86

Auth required

Prerequisites: Low-privilege access to the target system · Unpatched Windows 2003 SP2 (KB2989935 not installed)

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

exploitdb WRITEUP

by KoreLogic · pythonlocalwindows

https://www.exploit-db.com/exploits/35936

View Code ZIP pw:eip

This is a detailed technical writeup for CVE-2014-4076, a privilege escalation vulnerability in Microsoft Windows Server 2003 SP2's TCP/IP driver. It includes root cause analysis, crash dump analysis, and exploitation details but does not contain functional exploit code.

Classification

Writeup 100%

Attack Type

Lpe

Complexity

Complex

Reliability

Theoretical

Target: Microsoft Windows Server 2003 SP2 (tcpip.sys)

No auth needed

Prerequisites: Access to a vulnerable Windows Server 2003 SP2 system · Ability to send IOCTL requests to the TCP/IP driver

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by fungoshacks · poc

https://github.com/fungoshacks/CVE-2014-4076

View Code ZIP pw:eip

This is a C++ rewrite of the original Python exploit for CVE-2014-4076, targeting a privilege escalation vulnerability in Windows 2003's tcpip.sys driver. It leverages a kernel memory corruption bug to escalate from Administrator to SYSTEM by sending a crafted IOCTL request.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows Server 2003 tcpip.sys

Auth required

Prerequisites: Administrator access on Windows Server 2003

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC NORMAL

rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/ms14_070_tcpip_ioctl.rb

View Code ZIP pw:eip

This Metasploit module exploits a NULL pointer dereference in the Microsoft TCP/IP driver (tcpip.sys) via a crafted IOCTL request to elevate privileges to SYSTEM on Windows Server 2003 SP2. It includes token-stealing shellcode and memory manipulation to trigger the vulnerability.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows Server 2003 SP2 (tcpip.sys version 5.2.3790 with revision < 5440)

Auth required

Prerequisites: Local access to the target system · Meterpreter session · 32-bit Windows Server 2003 SP2

MITRE ATT&CK