CVE-2014-6332

HIGH KEV RANSOMWARE

Microsoft Windows - Remote Code Execution via SafeArrayDimen Function

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2014-6332 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 25, 2022, with confirmed use in ransomware campaigns. EIP tracks 13 public exploits from researchers including Ehsan Noreddini, Mohammad Reza Espargham, Naser Farhadi, including a Metasploit module exploits/windows/browser/ms14_064_ole_code_execution.

AI-analyzed exploit summary This exploit leverages CVE-2014-6332 (MS14-064) to achieve remote code execution in TheWorld Browser 3.0 Final by serving a malicious HTML page that triggers a VBScript memory corruption vulnerability. The payload downloads and executes a remote executable (e.g., PuTTY in the example).

Description

OleAut32.dll in OLE in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted web site, as demonstrated by an array-redimensioning attempt that triggers improper handling of a size value in the SafeArrayDimen function, aka "Windows OLE Automation Array Remote Code Execution Vulnerability."

Exploits (13)

exploitdb WORKING POC VERIFIED
by Ehsan Noreddini · phpremotewindows
https://www.exploit-db.com/exploits/38512

This exploit leverages CVE-2014-6332 (MS14-064) to achieve remote code execution in TheWorld Browser 3.0 Final by serving a malicious HTML page that triggers a VBScript memory corruption vulnerability. The payload downloads and executes a remote executable (e.g., PuTTY in the example).

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: TheWorld Browser 3.0 Final
No auth needed
Prerequisites: Victim must visit the attacker-controlled URL · TheWorld Browser 3.0 Final installed on victim's machine
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Ehsan Noreddini · phpremotewindows
https://www.exploit-db.com/exploits/38500

This exploit leverages CVE-2014-6332, a vulnerability in HTML Compiler, to achieve remote code execution by serving a malicious payload via a local HTTP server. The payload uses VBScript to download and execute an arbitrary file (e.g., PuTTY in the example).

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: HTML Compiler (version unspecified)
No auth needed
Prerequisites: Victim must open the malicious project file in HTML Compiler · Attacker must host a malicious payload on a reachable server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Mohammad Reza Espargham · phpremotewindows
https://www.exploit-db.com/exploits/37800

This exploit leverages CVE-2014-6332, a vulnerability in Microsoft Windows HTA (HTML Application) to achieve remote code execution. It generates an HTA file that, when opened, executes arbitrary commands via VBScript, specifically downloading and executing a payload (e.g., PuTTY.exe in the example).

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows (tested on Windows 7 / Server 2008)
No auth needed
Prerequisites: Network access to the target · User interaction to open the malicious HTA file
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Mohammad Reza Espargham · phpremotewindows
https://www.exploit-db.com/exploits/37400

This exploit leverages CVE-2014-6332, a vulnerability in Windows OLE Automation (OleAut32.dll), to achieve remote code execution. It sets up a malicious server that serves an HTML page with embedded VBScript, which triggers the vulnerability when loaded in a vulnerable application like Havij.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Windows OLE Automation (OleAut32.dll) via Havij
No auth needed
Prerequisites: Vulnerable Windows system with OLE Automation (pre-MS14-064 patch) · Victim interaction to load the malicious link in a vulnerable application like Havij
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Naser Farhadi · pythonremotewindows
https://www.exploit-db.com/exploits/36516

This exploit leverages CVE-2014-6332 (MS14-064) to achieve remote code execution via OLE Automation Array manipulation in Internet Explorer. It serves a malicious payload (acunetix.exe) via a Python HTTP server and triggers execution through VBScript.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Acunetix Login Sequence Recorder (lsr.exe) <=9.5
No auth needed
Prerequisites: Victim must visit the attacker-controlled HTTP server · Target must be using a vulnerable version of Acunetix or IE
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by GradiusX & b33f · htmlremotewindows
https://www.exploit-db.com/exploits/35308

This exploit leverages a memory corruption vulnerability in OLE Automation Array handling in Internet Explorer (pre-IE11) to achieve remote code execution. It uses VBScript to manipulate array objects and execute a PowerShell payload containing shellcode.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Internet Explorer < 11
No auth needed
Prerequisites: Victim must visit a malicious webpage using a vulnerable version of Internet Explorer
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by yuange · htmlremotewindows
https://www.exploit-db.com/exploits/35229

This exploit leverages CVE-2014-6332, a memory corruption vulnerability in Internet Explorer, to achieve remote code execution by manipulating VBScript arrays and object types to bypass memory protections.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Microsoft Internet Explorer (IE3 to IE11)
No auth needed
Prerequisites: Victim must visit a malicious webpage using a vulnerable version of Internet Explorer
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by Mohammad Reza Espargham · phpremotewindows
https://www.exploit-db.com/exploits/37668

This exploit leverages CVE-2014-6332, a vulnerability in Windows OLE Automation (OleAut32.dll), to achieve remote code execution. It sets up a malicious server that delivers a crafted HTML page with VBScript to exploit the vulnerability when visited by a vulnerable client.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Windows OLE Automation (OleAut32.dll) on Windows 7/Server 2008
No auth needed
Prerequisites: Vulnerable Windows system with Internet Download Manager (IDM) installed · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by Wesley Neelen & Rik van Duijn · rubyremotewindows
https://www.exploit-db.com/exploits/35230

This Metasploit module exploits CVE-2014-6332, a vulnerability in Windows OLE Automation Array, to achieve remote code execution via a crafted HTML page with VBScript. It targets Internet Explorer versions 3.0 to 11 on Windows systems.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Internet Explorer 3.0-11 on Windows 95 to Windows 10
No auth needed
Prerequisites: Victim must visit a malicious webpage · VBScript must be enabled in the target's browser
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec STUB 2 stars
by mourr · poc
https://github.com/mourr/CVE-2014-6332

The repository contains only a README file with minimal information about CVE-2014-6332, stating it is a ZeroDay PoC that starts PowerShell. No actual exploit code or technical details are provided.

Classification
Stub 30%
Attack Type
Other
Complexity
Theoretical
Reliability
Theoretical
Target: Microsoft Windows (via PowerShell)
No auth needed
Prerequisites: None specified
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP 2 stars
by tjjh89017 · poc
https://github.com/tjjh89017/cve-2014-6332

This repository provides a detailed technical analysis of CVE-2014-6332, a VBScript engine vulnerability involving integer overflow in SafeArrayRedim. It explains the root cause, exploitation steps, and includes a partial exploit script.

Classification
Writeup 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Microsoft Windows VBScript Engine (IE)
No auth needed
Prerequisites: Victim must visit a malicious webpage using Internet Explorer
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GOOD
by Robert Freeman, yuange, Rik van Duijn, Wesley Neelen · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb

This Metasploit module exploits CVE-2014-6332, a Windows OLE Automation array vulnerability, to achieve remote code execution via Internet Explorer. It uses VBScript for Windows XP and PowerShell for newer systems to deliver and execute payloads.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Internet Explorer 3.0-11 on Windows XP to Windows 10
No auth needed
Prerequisites: Victim must visit a malicious webpage using Internet Explorer · JavaScript/VBScript must be enabled
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (17)

Core 17
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/37668/
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/37800/
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/158647
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/38512/
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/ncas/alerts/TA14-318B
Patch, Vendor Advisory vendor-advisory x_refsource_ms
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-064
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/134062/HTML-Compiler-Remote-Code-Execution.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/70952
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1031184
Exploit, Third Party Advisory x_refsource_misc
https://forsec.nl/wp-content/uploads/2014/11/ms14_064_ie_olerce.rb_.txt
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/38500/

Scores

CVSS v3 8.8
EPSS 0.9409
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-03-25
VulnCheck KEV 2015-02-23
InTheWild.io 2022-03-25
ENISA EUVD EUVD-2014-6216
Ransomware Use Confirmed
CWE
CWE-119
Status published
Products (11)
microsoft/windows_7
microsoft/windows_8
microsoft/windows_8.1
microsoft/windows_rt
microsoft/windows_rt_8.1
microsoft/windows_server_2003
microsoft/windows_server_2008
microsoft/windows_server_2008 r2 sp1 (2 CPE variants)
microsoft/windows_server_2012
microsoft/windows_server_2012 r2
... and 1 more
Published Nov 11, 2014
KEV Added Mar 25, 2022
Tracked Since Feb 18, 2026