CVE-2014-6352
published 2014-10-22CVE-2014-6352: Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold…
PriorityP189high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-08-25
Exploited in the wild
EPSS
77.55%
99.5th percentile
Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allow remote attackers to execute arbitrary code via a crafted OLE object, as exploited in the wild in October 2014 with a crafted PowerPoint document.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2014-6352 is exploited via crafted PowerPoint (.pps/.pptx) files delivered through spear-phishing emails; hunt for PowerPoint files spawning unexpected child processes. ↗
- →Post-exploitation payload is a UPX-packed AutoIT executable; detect UPX-packed AutoIT binaries dropped after Office process execution as an indicator of CVE-2014-6352 exploitation. ↗
- →PLEAD loader components are named after the target organization (e.g., {target name}.exe or {target name}64.exe); look for suspiciously named loader executables that match the victim organization's name. ↗
- →AutoIT backdoor (associated with MONSOON/Dropping Elephant) was frequently used in weaponized .pps files exploiting CVE-2014-6352; detect AutoIT-compiled executables dropped from PowerPoint processes.
- ·CVE-2014-6352 was patched by Microsoft in October 2014; exploitation observed in the wild is against unpatched systems. Indicators from 2014-2017 campaigns may not reflect current infrastructure. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft Windows Code Injection Vulnerability
cisa·2022-02-25·CVSS 7.8
CVE-2014-6352 [HIGH] CWE-94 Microsoft Windows Code Injection Vulnerability
Vulnerability: Microsoft Windows Code Injection Vulnerability
Affected: Microsoft Windows
Microsoft Windows allow remote attackers to execute arbitrary code via a crafted OLE object.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2014-6352
Remediation Due Date: 2022-08-25
GHSA
GHSA-hcj8-r3vf-4jr7: Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8
ghsa_unreviewed·2022-05-14
CVE-2014-6352 [HIGH] CWE-94 GHSA-hcj8-r3vf-4jr7: Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8
Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allow remote attackers to execute arbitrary code via a crafted OLE object, as exploited in the wild in October 2014 with a crafted PowerPoint document.
VulnCheck
Microsoft Windows Code Injection Vulnerability
vulncheck·2014·CVSS 7.8
CVE-2014-6352 [HIGH] CWE-94 Microsoft Windows Code Injection Vulnerability
Microsoft Windows Code Injection Vulnerability
Microsoft Windows allow remote attackers to execute arbitrary code via a crafted OLE object.
Affected: Microsoft Windows
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2014-6352; https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://securelist.com/the-dropping-elephant-actor/75328/; https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf; https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html; https://www.mycert.org.my/portal/advisory?id=MA-774.022020; https://go.recordedfuture.com/hubfs/reports/cta-2020-0603.pdf; https
No detection rules found.
Exploit-DB
Microsoft Windows - OLE Package Manager Code Execution (MS14-064) (Metasploit)
exploitdb·2014-11-14
CVE-2014-6352 Microsoft Windows - OLE Package Manager Code Execution (MS14-064) (Metasploit)
Microsoft Windows - OLE Package Manager Code Execution (MS14-064) (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 "MS14-064 Microsoft Windows OLE Package Manager Code Execution",
'Description' => %q{
This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE)
allowing arbitrary code execution, publicly exploited in the wild as MS14-060 patch bypass.
The Microsoft update tried to fix the vulnerability publicly known as "Sandworm". Platforms
such as Windows Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known
to be vulnerable. However, based on our testing, the most reliable setup is on Windows
pla
Exploit-DB
Microsoft Windows - OLE Package Manager Code Execution (via Python) (MS14-064) (Metasploit)
exploitdb·2014-11-14
CVE-2014-6352 Microsoft Windows - OLE Package Manager Code Execution (via Python) (MS14-064) (Metasploit)
Microsoft Windows - OLE Package Manager Code Execution (via Python) (MS14-064) (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 "MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python",
'Description' => %q{
This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE)
allowing arbitrary code execution, bypassing the patch MS14-060, for the vulnerability
publicly known as "Sandworm", on systems with Python for Windows installed. Windows Vista
SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be vulnerable.
However, based on our testing, the most reliable setup is on Windows plat
Exploit-DB
Microsoft Office 2007/2010 - OLE Arbitrary Command Execution
exploitdb·2014-11-12·CVSS 7.8
CVE-2014-6352 [HIGH] Microsoft Office 2007/2010 - OLE Arbitrary Command Execution
Microsoft Office 2007/2010 - OLE Arbitrary Command Execution
---
#
# Full exploit: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35216.rar
#
#CVE-2014-6352 OLE Remote Code Execution
#Author Abhishek Lyall - abhilyall[at]gmail[dot]com, info[at]aslitsecurity[dot]com
#Advanced Hacking Trainings - http://training.aslitsecurity.com
#Web - http://www.aslitsecurity.com/
#Blog - http://www.aslitsecurity.blogspot.com/
#Tested on win7 - office 2007 and 2010. The exploit will not give UAC warning the user account is administrator. Else there will be a UAC warning.
#No .inf file is required in this exploit
#The size of executable payload should be less than 400kb
#python 2.7 required
#The folder "temp" should be in same dir as this python file.
# usage - python.exe
Exploit-DB
Microsoft Windows - OLE Remote Code Execution 'Sandworm' (MS14-060)
exploitdb·2014-10-25·CVSS 7.8
CVE-2014-6352 [HIGH] Microsoft Windows - OLE Remote Code Execution 'Sandworm' (MS14-060)
Microsoft Windows - OLE Remote Code Execution 'Sandworm' (MS14-060)
---
# !/usr/bin/python
# Windows OLE RCE Exploit MS14-060 (CVE-2014-4114) Sandworm
# Author: Mike Czumak (T_v3rn1x) - @SecuritySift
# Written: 10/21/2014
# Tested Platform(s): Windows 7 SP1 (w/ exploit script run on Kali Linux)
# You are free to reuse this code in part or in whole with the exception of commercial applications
# For a demo of this PoC, see http://www.securitysift.com/windows-ole-rce-exploit-ms14-060/
import sys, os
import zipfile
import argparse
import subprocess
from shutil import copyfile
from pptx import Presentation
# Args/Usage
def get_args():
parser = argparse.ArgumentParser( prog="ms14_060.py",
formatter_class=lambda prog: argparse.HelpFormatter(prog,max_help_position=50),
epilog= '''This scri
Exploit-DB
Microsoft Windows - OLE Package Manager Code Execution (MS14-060) (Metasploit)
exploitdb·2014-10-20
CVE-2014-6352 Microsoft Windows - OLE Package Manager Code Execution (MS14-060) (Metasploit)
Microsoft Windows - OLE Package Manager Code Execution (MS14-060) (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 "MS14-060 Microsoft Windows OLE Package Manager Code Execution",
'Description' => %q{
This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE)
allowing arbitrary code execution, publicly known as "Sandworm". Platforms such as Windows
Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be
vulnerable. However, based on our testing, the most reliable setup is on Windows platforms
running Office 2013 and Office 2010 SP2. And please keep in mind that some other setups such
as using
Exploit-DB
Microsoft Windows - OLE Package Manager SandWorm
exploitdb·2014-10-20·CVSS 7.8
CVE-2014-6352 [HIGH] Microsoft Windows - OLE Package Manager SandWorm
Microsoft Windows - OLE Package Manager SandWorm
---
#!/usr/bin/env python
import os
import zipfile
import sys
'''
Full Exploit: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35019.tar.gz
Very quick and ugly [SandWorm CVE-2014-4114] exploit builder
Exploit Title: CVE-2014-4114 SandWorm builder
Built to run on: Linux/MacOSX
Date: 17/10/2014
Exploit Author: Vlad Ovtchinikov (@v1ad_o)
Vendor Homepage: microsoft.com
Tested on: Win7Sp1 64 bit - Microsoft Offcie 2013 Plus
Demo: http://youtu.be/ljjEkhflpvM
CVE : CVE-2014-4114
NOTE:
expl.inf (md5 8313034e9ab391df83f6a4f242ec5f8d) + expl.zip (md5 4a39121a60cc79d211fc7f7cfe00b707)
should be located in the same dir as the builder.
01:39 cve-2014-4114.py
19:35 expl.inf
15:37 expl.zip
e.g. python cve-2014-4114.py
Metasploit
MS14-064 Microsoft Windows OLE Package Manager Code Execution
metasploit
MS14-064 Microsoft Windows OLE Package Manager Code Execution
MS14-064 Microsoft Windows OLE Package Manager Code Execution
This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE) allowing arbitrary code execution, publicly exploited in the wild as MS14-060 patch bypass. The Microsoft update tried to fix the vulnerability publicly known as "Sandworm". Platforms such as Windows Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be vulnerable. However, based on our testing, the most reliable setup is on Windows platforms running Office 2013 and Office 2010 SP2. Please keep in mind that some other setups such as using Office 2010 SP1 might be less stable, and may end up with a crash due to a failure in the CPackage::CreateTempFileName function.
Metasploit
MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python
metasploit
MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python
MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python
This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE) allowing arbitrary code execution, bypassing the patch MS14-060, for the vulnerability publicly known as "Sandworm", on systems with Python for Windows installed. Windows Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be vulnerable. However, based on our testing, the most reliable setup is on Windows platforms running Office 2013 and Office 2010 SP2. Please keep in mind that some other setups such as those using Office 2010 SP1 may be less stable, and may end up with a crash due to a failure in the CPackage::CreateTempFileName function.
Trendmicro
The Trail of BlackTech’s Cyber Espionage Campaigns
blogs_trendmicro·2017-06-22·CVSS 9.8
[CRITICAL] The Trail of BlackTech’s Cyber Espionage Campaigns
# The Trail of BlackTech’s Cyber Espionage Campaigns
Following the activities and evolving tactics of cyberespionage group BlackTech helped us uncover the proverbial red string of fate that connected three seemingly disparate campaigns: PLEAD, Shrouded Crossbow, and of late, Waterbear.
By: Lenart Bermejo, Razor Huang, CH Lei
2017/06/22
Read time: ( words)
Save to Folio
BlackTech is a cyber espionage group operating against targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong. Based on the mutexes and domain names of some of their C&C servers, BlackTech’s campaigns are likely designed to steal their target’s technology.
Following their activities and evolving tactics and techniques helped us uncover the proverbial red string of fate that connected three see
Securelist
IT threat evolution Q3 2016
blogs_securelist·2016-11-03·CVSS 8.8
[HIGH] IT threat evolution Q3 2016
Table of Contents
Overview
Targeted attacks and malware campaigns
Dropping Elephant
ProjectSauron
ShadowBrokers
Operation Ghoul
Malware stories
Lurk
Ransomware
Data breaches
Authors
David Emm
Statistics
Download the full report (PDF)
## Overview
## Targeted attacks and malware campaigns
## Dropping Elephant
Targeted attack campaigns don’t need to be technically advanced in order to be successful. In July 2016 we reported on a group called Dropping Elephant (also known as ‘Chinastrats’ and ‘Patchwork’). Using a combination of social engineering, old exploit code and some PowerShell-based malware this group was able to steal sensitive data from its victims.
This group, which has been active since November 2015, targets high profile diplomatic and economic organizations lin
Securelist
IT threat evolution Q3 2016
blogs_securelist·2016-11-03·CVSS 8.8
[HIGH] IT threat evolution Q3 2016
Table of Contents
- Overview
Authors
- David Emm
Statistics
Download the full report (PDF)
## Overview
### Targeted attacks and malware campaigns
#### Dropping Elephant
Targeted attack campaigns don’t need to be technically advanced in order to be successful. In July 2016 we reported on a group called Dropping Elephant (also known as ‘Chinastrats’ and ‘Patchwork’). Using a combination of social engineering, old exploit code and some PowerShell-based malware this group was able to steal sensitive data from its victims.
This group, which has been active since November 2015, targets high profile diplomatic and economic organizations linked to China’s foreign relations – an interest that is evident from the themes the attackers use to trap their victims.
The attackers use a combinat
Talos
Microsoft Update Tuesday November 2014: Fixes for 3 0-day
Vulnerabilities
blogs_talos·2014-11-11·CVSS 7.8
[HIGH] Microsoft Update Tuesday November 2014: Fixes for 3 0-day
Vulnerabilities
## Microsoft Update Tuesday November 2014: Fixes for 3 0-day
Vulnerabilities
This month Microsoft is releasing 14 security bulletins. Originally they had planned to release 16, but due to issues that emerged in late testing, two bulletins that were announced in the Advance Security Notification, MS14-068 and MS14-075, have been postponed. Of the 14 bulletins, four are considered critical, eight are important, while two are moderate. They cover a total of 33 CVEs.
We’ll start off with the four critical bulletins, for a total of 21 CVEs that can result in remote code execution:
Our first bulletin of the month is MS14-064 and fixes two vulnerabilities ( CVE-2014-6332 , CVE-2014-6352 ) in Windows Object Linking and Embedding (OLE) that could allow remote code execution. Both issues are seei
Talos
Microsoft Update Tuesday November 2014: Fixes for 3 0-day
Vulnerabilities
blogs_talos·2014-11-11·CVSS 7.8
[HIGH] Microsoft Update Tuesday November 2014: Fixes for 3 0-day
Vulnerabilities
This month Microsoft is releasing 14 security bulletins. Originally they had planned to release 16, but due to issues that emerged in late testing, two bulletins that were announced in the Advance Security Notification, MS14-068 and MS14-075, have been postponed. Of the 14 bulletins, four are considered critical, eight are important, while two are moderate. They cover a total of 33 CVEs.
We’ll start off with the four critical bulletins, for a total of 21 CVEs that can result in remote code execution:
Our first bulletin of the month is MS14-064 and fixes two vulnerabilities (CVE-2014-6332, CVE-2014-6352) in Windows Object Linking and Embedding (OLE) that could allow remote code execution. Both issues are seeing attack in the wild and can be considered 0-days. CVE-2014-6352 is a vulnerabil
Threat Intel
BlackTech (BlackTech, Palmerworm)
threat_intel·CVSS 9.8
[CRITICAL] BlackTech (BlackTech, Palmerworm)
# Threat Actor Profile: BlackTech
ATT&CK ID: G0098
Also known as: BlackTech, Palmerworm
Suspected origin: China
## Overview
BlackTech is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia--particularly Taiwan, Japan, and Hong Kong--and the US since at least 2013. BlackTech has used a combination of custom malware, dual-use tools, and living off the land tactics to compromise media, construction, engineering, electronics, and financial company networks.(Citation: TrendMicro BlackTech June 2017)(Citation: Symantec Palmerworm Sep 2020)(Citation: Reuters Taiwan BlackTech August 2020)
## Techniques (TTPs)
### Resource Development
- T1588.003 Code Signing Certificates
Usage: BlackTech has used stolen code-signing certificates for its malicious pay
Threat Intel
APT33 (APT33, HOLMIUM, Elfin)
threat_intel
APT33 (APT33, HOLMIUM, Elfin)
# Threat Actor Profile: APT33
ATT&CK ID: G0064
Also known as: APT33, HOLMIUM, Elfin, Peach Sandstorm
Suspected origin: Iran
## Overview
APT33 is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors.(Citation: FireEye APT33 Sept 2017)(Citation: FireEye APT33 Webinar Sept 2017)
## Techniques (TTPs)
### Resource Development
- T1588.002 Tool
Usage: APT33 has obtained and leveraged publicly-available tools for early intrusion activities.(Citation: FireEye APT33 Guardrail)(Citation: Symantec Elfin Mar 2019)
### Initial Access
- T1566.001 Spearphishing Attachment
Usage: APT33 has sent
Zscaler
Zscaler found Multiple Security Vulnerabilities | 10-14-2014
blogs_zscaler·CVSS 8.8
[HIGH] Zscaler found Multiple Security Vulnerabilities | 10-14-2014
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Threat Intel
Patchwork (Patchwork, Hangover Group, Dropping Elephant)
threat_intel
Patchwork (Patchwork, Hangover Group, Dropping Elephant)
# Threat Actor Profile: Patchwork
ATT&CK ID: G0040
Also known as: Patchwork, Hangover Group, Dropping Elephant, Chinastrats, MONSOON, Operation Hangover
Suspected origin: China
## Overview
Patchwork is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Patchwork has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. Patchwork was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018.(Citation: Cymmetria Patchwork) (Citation: Symantec Patchwork)(Citation: TrendMicro Patchwork Dec 2017)(Cita
arXiv
Techniques of Modern Attacks
arxiv_fulltext·2026-01-19
Techniques of Modern Attacks
## Abstract
The techniques used in modern attacks have become an important factor for investigation. As
we advance further into the digital age, cyber attackers are employing increasingly sophisticated and highly threatening methods. These attacks target not only organizations and governments but also extend to private and corporate sectors. Modern attack techniques, such as lateral movement and ransomware, are designed to infiltrate networks and steal sensitive data. Among these techniques, Advanced Persistent Threats (APTs) represent a complex method of attack aimed at specific targets to steal high-value sensitive information or damage the infrastructure of the targeted organization.
In this paper, I will investigate Advanced Persistent Threats (APTs) as a modern attack
technique, focu
ATT&CK
AutoIt backdoor
mitre_attack·CVSS 7.8
CVE-2014-6352 [HIGH] AutoIt backdoor
AutoIt backdoor
[AutoIt backdoor](https://attack.mitre.org/software/S0129) is malware that has been used by the actors responsible for the MONSOON campaign. The actors frequently used it in weaponized .pps files exploiting CVE-2014-6352. (Citation: Forcepoint Monsoon) This malware makes use of the legitimate scripting language for Windows GUI automation with the same name.
http://blogs.technet.com/b/srd/archive/2014/11/11/assessing-risk-for-the-november-2014-security-updates.aspxhttp://secunia.com/advisories/61803http://twitter.com/ohjeongwook/statuses/524795124270653440http://www.securityfocus.com/bid/70690http://www.securitytracker.com/id/1031097https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-064https://exchange.xforce.ibmcloud.com/vulnerabilities/97714https://technet.microsoft.com/library/security/3010060http://blogs.technet.com/b/srd/archive/2014/11/11/assessing-risk-for-the-november-2014-security-updates.aspxhttp://secunia.com/advisories/61803http://twitter.com/ohjeongwook/statuses/524795124270653440http://www.securityfocus.com/bid/70690http://www.securitytracker.com/id/1031097https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-064https://exchange.xforce.ibmcloud.com/vulnerabilities/97714https://technet.microsoft.com/library/security/3010060https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2014-6352
2014-10-22
Published
2022-02-25
Added to CISA KEV
Exploited in the wild