cbcvebase.
CVE-2014-4114
published 2014-10-15

CVE-2014-4114: Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold…

PriorityP190high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-03-24
Exploited in the wild
EPSS
81.63%
99.6th percentile
Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allow remote attackers to execute arbitrary code via a crafted OLE object in an Office document, as exploited in the wild with a "Sandworm" attack in June through October 2014, aka "Windows OLE Remote Code Execution Vulnerability."

Affected

2 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008
microsoftwindows_server_2012

Detection & IOCsextracted from sources · hover to see the quote

hash330e8d23ab82e8a0ca6d166755408eb1
ip94.185.85.122
hash70B8D220469C8071029795D32EA91829F683E3FBBAA8B978A31A0974DAEE8AAF
ip95.143.193.131
ip46.165.222.6
ip78.46.40.239
ip144.76.119.48
ip37.220.34.56
ip46.4.28.218
ip95.143.193.182
ip5.61.38.31
ip94.185.80.66
ip95.211.122.36
snort
32186
  • The exploit embeds two OLE objects in a malicious PowerPoint file: a .inf file and an executable. The .inf file modifies the host and launches the malicious executable; a registry key is added for persistence after reboot.
  • Malware signatures Trojan.Mdropper and Backdoor.Lancafdo.A are associated with the Sandworm/CVE-2014-4114 campaign and can be used as AV/SIEM detection criteria.
  • ·The Recorded Future hash (MD5) and IP were extracted from social media (tweets) at the time of initial disclosure and may represent early-stage, unverified IOCs; the IP was reportedly removed from Twitter shortly after posting.
  • ·The Talos IP list covers infrastructure observed at the time of initial exploitation (October 2014); these IPs may have rotated or been reassigned since then.
  • ·Windows XP is explicitly not affected by CVE-2014-4114; detection and patching efforts should focus on Vista SP2 and later supported versions.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.