CVE-2014-4114

HIGH KEV

MS14-060 Microsoft Windows OLE Package Manager Code Execution

Title source: metasploit

Exploitation Summary

CVE-2014-4114 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 3, 2022. EIP tracks 8 public exploits from researchers including Metasploit, Mike Czumak, Vlad Ovtchinikov, including a Metasploit module exploits/windows/fileformat/ms14_064_packager_python.

AI-analyzed exploit summary This Metasploit module exploits CVE-2014-4114 (MS14-060) in Microsoft Windows OLE Package Manager to achieve remote code execution via a malicious INF file embedded in a PPSX file. It generates an INF, GIF, and PPSX file, requiring a SMB share to host the payload.

Description

Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allow remote attackers to execute arbitrary code via a crafted OLE object in an Office document, as exploited in the wild with a "Sandworm" attack in June through October 2014, aka "Windows OLE Remote Code Execution Vulnerability."

Exploits (8)

exploitdb WORKING POC VERIFIED

by Metasploit · rubylocalwindows_x86

https://www.exploit-db.com/exploits/35020

View Code ZIP pw:eip

This Metasploit module exploits CVE-2014-4114 (MS14-060) in Microsoft Windows OLE Package Manager to achieve remote code execution via a malicious INF file embedded in a PPSX file. It generates an INF, GIF, and PPSX file, requiring a SMB share to host the payload.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows (Vista SP2 to Windows 8, Server 2008/2012) with Office 2010/2013

No auth needed

Prerequisites: SMB/Samba share to host INF and GIF files · Target interaction to open the PPSX file

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1195 - Supply Chain Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by Mike Czumak · pythonremotewindows

https://www.exploit-db.com/exploits/35055

View Code ZIP pw:eip

This Python script generates a malicious PowerPoint (PPSX) file exploiting CVE-2014-4114 (MS14-060) via OLE object manipulation. It embeds a remote SMB share reference to execute arbitrary code when the file is opened.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows (via PowerPoint OLE objects)

No auth needed

Prerequisites: Remote SMB share hosting payload · Victim opens malicious PPSX file

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by Vlad Ovtchinikov · pythonlocalwindows

https://www.exploit-db.com/exploits/35019

View Code ZIP pw:eip

This Python script automates the creation of a malicious PowerPoint file (exploit.ppsx) that exploits CVE-2014-4114, a vulnerability in Microsoft Office's OLE packager. It modifies embedded OLE objects to reference a remote SMB share hosting a malicious INF and executable file, enabling remote code execution when the victim opens the file.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Office (tested on Office 2013 Plus on Windows 7 SP1)

No auth needed

Prerequisites: Access to a remote SMB share · Malicious INF and executable files · Victim interaction to open the PowerPoint file

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 18, 2026 Full analysis →

exploitdb WORKING POC

rubylocalwindows

https://www.exploit-db.com/exploits/35235

View Code ZIP pw:eip

This Metasploit module exploits CVE-2014-4114 (Sandworm) via a crafted PPSX file containing malicious OLE objects, targeting Windows systems with Python installed. It leverages the OLE Package Manager vulnerability to achieve remote code execution by embedding Python payloads in the file.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows (Vista SP2 to 8, Server 2008/2012) with Python for Windows and Office 2010/2013

No auth needed

Prerequisites: Python for Windows installed · Victim opens malicious PPSX file

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1195 - Supply Chain Compromise

devstral-2 · analyzed Feb 19, 2026 Full analysis →

exploitdb WORKING POC

rubylocalwindows

https://www.exploit-db.com/exploits/35236

View Code ZIP pw:eip

This Metasploit module exploits CVE-2014-6352 (MS14-064) by crafting a malicious PPSX file with an embedded OLE object that executes arbitrary code when opened in vulnerable Microsoft Office versions. It leverages the 'Sandworm' vulnerability to bypass patch mitigations and achieve remote code execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Office 2010 SP2, Office 2013 on Windows 7 SP1 and other vulnerable Windows platforms

No auth needed

Prerequisites: Vulnerable Microsoft Office installation · User interaction to open the malicious PPSX file

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1566.001 - Spearphishing Attachment

devstral-2 · analyzed Feb 19, 2026 Full analysis →

exploitdb WORKING POC

pythonlocalwindows

https://www.exploit-db.com/exploits/35216

View Code ZIP pw:eip

This Python script generates a malicious OLE file to exploit CVE-2014-4114, a vulnerability in Microsoft Windows OLE that allows remote code execution. The exploit embeds a payload executable into an OLE object, which can be triggered when the file is opened in vulnerable versions of Microsoft Office.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows OLE (Office 2007, 2010)

No auth needed

Prerequisites: Vulnerable version of Microsoft Office (2007, 2010) · Payload executable (<400KB) · Python 2.7

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1566.001 - Spearphishing Attachment

devstral-2 · analyzed Feb 19, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Haifei Li, sinn3r, juan vazquez · rubypocpython

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/ms14_064_packager_python.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2014-4114 by crafting a malicious PPSX file with embedded OLE objects that execute arbitrary Python code when opened, bypassing MS14-060. It leverages the 'Sandworm' vulnerability in Windows OLE Package Manager.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows OLE Package Manager (with Python for Windows installed)

No auth needed

Prerequisites: Python for Windows installed · Victim opens the malicious PPSX file

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1566.001 - Spearphishing Attachment

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Unknown, sinn3r, juan vazquez · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/ms14_060_sandworm.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2014-4114 (Sandworm) by crafting a malicious PPSX file that leverages OLE object manipulation to execute arbitrary code via a malicious INF file hosted on a remote SMB share.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows OLE Package Manager (packager.dll) on Windows Vista SP2 to Windows 8, Server 2008/2012, with Office 2010/2013

No auth needed

Prerequisites: SMB/Samba server to host INF and payload files · Target interaction to open the PPSX file

MITRE ATT&CK