CVE-2014-6352

HIGH KEV

MS14-064 Microsoft Windows OLE Package Manager Code Execution

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2014-6352 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added February 25, 2022. EIP tracks 7 public exploits from researchers including Metasploit, Abhishek Lyall, Mike Czumak, including a Metasploit module exploits/windows/fileformat/ms14_064_packager_run_as_admin.

AI-analyzed exploit summary This Metasploit module exploits CVE-2014-4114 by crafting a malicious PPSX file with embedded OLE objects that trigger arbitrary code execution via Python on vulnerable Windows systems. It leverages the 'Sandworm' vulnerability to bypass MS14-060 patches.

Description

Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allow remote attackers to execute arbitrary code via a crafted OLE object, as exploited in the wild in October 2014 with a crafted PowerPoint document.

Exploits (7)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalwindows
https://www.exploit-db.com/exploits/35235

This Metasploit module exploits CVE-2014-4114 by crafting a malicious PPSX file with embedded OLE objects that trigger arbitrary code execution via Python on vulnerable Windows systems. It leverages the 'Sandworm' vulnerability to bypass MS14-060 patches.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows OLE Package Manager (Windows Vista SP2 to Windows 8, Server 2008/2012) with Python for Windows installed
No auth needed
Prerequisites: Python for Windows installed · Vulnerable version of Windows OLE Package Manager
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalwindows
https://www.exploit-db.com/exploits/35236

This Metasploit module exploits CVE-2014-6352, a vulnerability in Microsoft Windows OLE Package Manager, by crafting a malicious PPSX file that executes arbitrary code when opened. It leverages the 'Sandworm' vulnerability to bypass MS14-060 patches, targeting Windows systems with Office 2010/2013.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows OLE Package Manager (Office 2010 SP2, Office 2013, Windows 7 SP1)
No auth needed
Prerequisites: Victim must open the malicious PPSX file
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalwindows_x86
https://www.exploit-db.com/exploits/35020

This Metasploit module exploits CVE-2014-4114 (MS14-060) in Microsoft Windows OLE Package Manager to achieve remote code execution via a malicious INF file embedded in a PPSX file. It generates an INF, GIF, and PPSX file, requiring a SMB share to host the payload.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows (Vista SP2 to Windows 8, Server 2008/2012) with Office 2010/2013
No auth needed
Prerequisites: SMB/Samba share to host INF and GIF files · Target interaction to open the PPSX file
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by Abhishek Lyall · pythonlocalwindows
https://www.exploit-db.com/exploits/35216

This Python script generates a malicious OLE file to exploit CVE-2014-4114, a vulnerability in Microsoft Windows OLE that allows remote code execution. The exploit crafts a specially formatted file to bypass UAC and execute arbitrary payloads on vulnerable systems.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows (OLE), Office 2007/2010
No auth needed
Prerequisites: Python 2.7 · Payload executable < 400KB · Temp folder in same directory
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC
by Mike Czumak · pythonremotewindows
https://www.exploit-db.com/exploits/35055

This Python script generates a malicious PowerPoint (PPSX) file exploiting CVE-2014-4114 (MS14-060) via OLE object manipulation. It embeds a remote SMB share reference to execute arbitrary code when the file is opened.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows (via PowerPoint OLE objects)
No auth needed
Prerequisites: Remote SMB share hosting payload · Victim opens malicious PPSX file
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by Vlad Ovtchinikov · pythonlocalwindows
https://www.exploit-db.com/exploits/35019

This Python script automates the creation of a malicious PowerPoint file (exploit.ppsx) that exploits CVE-2014-4114, a vulnerability in Microsoft Office's OLE packager. It modifies embedded OLE objects to reference a remote SMB share hosting a malicious INF and executable file, enabling remote code execution when the victim opens the file.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Office (tested on Office 2013 Plus on Windows 7 SP1)
No auth needed
Prerequisites: Access to a remote SMB share · Malicious INF and executable files · Victim interaction to open the PowerPoint file
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Haifei Li, sinn3r, juan vazquez · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/ms14_064_packager_run_as_admin.rb

This Metasploit module exploits CVE-2014-6352, a vulnerability in Microsoft Windows OLE Package Manager, by crafting a malicious PPSX file that executes arbitrary code when opened. It leverages the 'Packager' CLSID to bypass the MS14-060 patch and achieve remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows (Vista SP2 to 8, Server 2008/2012) with Office 2010/2013
No auth needed
Prerequisites: Victim must open the malicious PPSX file · Target system must have vulnerable OLE Package Manager
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (9)

Core 9
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/97714
Broken Link third-party-advisory x_refsource_secunia
http://secunia.com/advisories/61803
Patch, Vendor Advisory vendor-advisory x_refsource_ms
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-064
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1031097
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/70690
Patch, Vendor Advisory x_refsource_confirm
https://technet.microsoft.com/library/security/3010060
Third Party Advisory x_refsource_misc
http://twitter.com/ohjeongwook/statuses/524795124270653440

Scores

CVSS v3 7.8
EPSS 0.7740
EPSS Percentile 99.5%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-02-25
VulnCheck KEV 2014-10-22
InTheWild.io 2014-11-11
ENISA EUVD EUVD-2014-6236
Status published
Products (10)
microsoft/windows_7
microsoft/windows_8
microsoft/windows_8.1
microsoft/windows_rt
microsoft/windows_rt_8.1
microsoft/windows_server_2008
microsoft/windows_server_2008 r2 sp1
microsoft/windows_server_2012
microsoft/windows_server_2012 r2
microsoft/windows_vista
Published Oct 22, 2014
KEV Added Feb 25, 2022
Tracked Since Feb 18, 2026