⚠ Actively exploited
Added to CISA KEV on 2022-03-25. Federal agencies required to patch by 2022-04-15. Required action: Apply updates per vendor instructions..

CVE-2014-6332Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft Windows Server 2008

CWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer68 documents15 sources
Severity
8.8HIGHNVD
EPSS
94.1%
top 0.09%
CISA KEV
KEV
Added 2022-03-25
Due 2022-04-15
Exploit
Exploited in wild
Active exploitation observed
Affected products
2
Microsoft Windows Server 2008Microsoft Windows Server 2012
Timeline
PublishedNov 11
KEV addedMar 25
KEV dueApr 15
Latest updateFeb 12
CISA Required Action: Apply updates per vendor instructions.

Description

OleAut32.dll in OLE in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted web site, as demonstrated by an array-redimensioning attempt that triggers improper handling of a size value in the SafeArrayDimen function, aka "Windows OLE Automation Array Remote Code Execution Vulnerability."

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages1 packages

Patches

Patch: docs.microsoft.comPatch: docs.microsoft.com

🔴Vulnerability Details

2
GHSA
GHSA-w64p-pvrc-c5w3: OleAut322022-05-14
VulnCheck
Microsoft Windows Object Linking & Embedding (OLE) Automation Array Remote Code Execution Vulnerability2014

💥Exploits & PoCs

10
Exploit-DB
The World Browser 3.0 Final - Remote Code Execution2015-10-22
Exploit-DB
HTML Compiler - Remote Code Execution2015-10-20
Exploit-DB
Microsoft Windows HTA (HTML Application) - Remote Code Execution (MS14-064)2015-08-17
Exploit-DB
Internet Download Manager - OLE Automation Array Remote Code Execution2015-07-21
Exploit-DB
Havij - OLE Automation Array Remote Code Execution2015-06-27

🔍Detection Rules

7
Suricata
ET EXPLOIT CVE-2014-6332 Sep 01 2016 (HFS Actor) M22016-09-01
Suricata
ET EXPLOIT CVE-2014-6332 Sep 01 2016 (HFS Actor) M12016-09-01
Suricata
ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Construct M22016-05-06
Suricata
ET EXPLOIT Possible CVE-2014-6332 DECS22015-02-18
Suricata
ET WEB_CLIENT Possible Internet Explorer VBscript CVE-2014-6332 multiple redim preserve2014-12-03

📋Vendor Advisories

1
CISA
Microsoft Windows Object Linking & Embedding (OLE) Automation Array Remote Code Execution Vulnerability2022-03-25

🕵️Threat Intelligence

45
Sentinelone
Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years2022-06-09
Sentinelone
Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years2022-06-09
Unit42
Web-Based Threats: First Half 20192019-11-01
Unit42
Web-Based Threats: First Half 20192019-11-01
Trendmicro
‘Purple Fox’ Malware Can Rootkit and Abuse PowerShell2019-09-09

📄Research Papers

2
arXiv
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures2025-02-12
arXiv
Technical Aspects of Cyber Kill Chain2016-06-10