Search
On this page ▾
CVE-2014-4114 — Microsoft Windows Object Linking & Embedding (OLE) Remote Code Execution Vulnerability

CVE-2014-4114

Windows OLE — 'Sandworm' Zero-Day: Remote OLE Package Loading via Office Files Enables RCE Without Code Execution Vulnerabilities
⚠️ CVSS 3.1  7.8 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What Is Windows OLE?

Object Linking and Embedding (OLE) is a Microsoft technology that allows embedding and linking documents and objects from different applications within a single document. For example, an Excel spreadsheet can be embedded in a Word document, or a media file linked in a PowerPoint presentation. The OLE "package" object type allows embedding arbitrary file references — including remote UNC paths — that Windows resolves when the document is opened. This capability is central to CVE-2014-4114: there is no traditional memory corruption involved; the flaw is that OLE silently downloads and executes content from remote attacker-controlled servers.

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on March 3, 2022. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2014-4114 is a Windows OLE zero-day exploited by Sandworm Team (a Russian GRU-linked APT) in targeted attacks against NATO, EU, and Ukrainian government organizations. Unlike most code execution vulnerabilities, CVE-2014-4114 does not involve a memory corruption bug. Instead, Windows OLE's package object allows a document to reference and download a file from a remote server (SMB/UNC path), then execute it — simply by opening an Office document. iSIGHT Partners discovered the zero-day exploitation and named the campaign "Sandworm" after references to Frank Herbert's Dune found in the malware. Patched in MS14-060 (October 14, 2014), the patch was bypassed within a week (CVE-2014-6352).

Affected Versions

Windows Status
Windows Vista, 7, 8, 8.1 Vulnerable
Windows Server 2003, 2008, 2008 R2, 2012, 2012 R2 Vulnerable
Windows RT, Windows RT 8.1 Vulnerable

All supported Windows versions at the time were affected.

Technical Details

Root Cause: OLE Package Objects Load and Execute Remote Content

Windows OLE supports a "Package" object type (handled by packager.dll) that can reference external content — historically used to embed installer files or other executables inside Office documents. The critical flaw: when a document containing an OLE package with a UNC path (e.g., \\attacker.com\share\payload.inf) is opened, Windows:

  1. Silently downloads the referenced file from the attacker's server via SMB or WebDAV
  2. Executes the downloaded file based on its file extension (.inf, .exe, etc.)

No buffer overflow. No shellcode. No sandbox escape needed. Opening the document triggers automatic download and execution of arbitrary attacker-controlled files.

The exploit delivery: Sandworm used malicious PowerPoint slideshow files (.ppsx) containing two OLE package objects:

  • One that downloaded and executed an INF file (installing the BlackEnergy backdoor)
  • One that displayed a decoy document to avoid suspicion

Why This Is Architecturally Significant

Most exploits require a memory safety vulnerability to redirect code execution. CVE-2014-4114 achieves code execution through a design feature — OLE's legitimate ability to reference remote resources — that was not properly restricted. This class of "living-off-the-land" file format abuse is particularly difficult to defend against because it uses trusted Windows functionality.

Attack Characteristics

Attribute Detail
Delivery Malicious Office document (PowerPoint .ppsx) via spear-phishing
User Interaction Open the Office file
Memory Corruption None — pure design/logic flaw
Network Required Yes — attacker's SMB server must be reachable
Named Campaign Sandworm (iSIGHT Partners, Oct 2014)

Discovery

iSIGHT Partners discovered active exploitation in October 2014 while analyzing a spear-phishing campaign against attendees of the NATO Ukraine Extraordinary Summit and government organizations in Ukraine, Poland, and the EU. The firm named the threat actor "Sandworm Team" after references to the Dune novel (sandworm, arrakis, baron) found in the malware infrastructure. iSIGHT reported the zero-day to Microsoft on October 13, 2014; MS14-060 was released the next day.

Exploitation Context

  • Sandworm Team (GRU Unit 74455): The Russian military intelligence threat actor later responsible for the 2015–2016 Ukraine power grid attacks and the 2017 NotPetya global cyberattack — the costliest cyberattack in history at the time
  • Targets: Ukrainian government, NATO organizations, EU government entities, energy sector, European defense contractors; timing aligned with the Russian annexation of Crimea and the Ukraine conflict
  • Payload: BlackEnergy 3 malware — a modular backdoor used for espionage, credential theft, and later destructive operations (ICS/SCADA interference)
  • Patch bypass: The MS14-060 patch was bypassed within a week (CVE-2014-6352, the "double-kill"), requiring a second patch
  • Strategic significance: The Sandworm campaigns using CVE-2014-4114 were early indicators of the Russian state's evolving approach to offensive cyber operations targeting critical infrastructure

Remediation

CISA BOD 22-01 Deadline: March 24, 2022. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

  1. Apply MS14-060 (October 2014) AND the follow-up patch for CVE-2014-6352 (the bypass). Both must be applied.

  2. Block outbound SMB (TCP 445) at the perimeter firewall — this prevents the OLE package object from reaching the attacker's server, breaking the exploit chain even on unpatched systems.

  3. Disable OLE package activation via registry:

    HKCU\Software\Microsoft\Office\<version>\<app>\Security\PackagerPrompt = 2

    Setting to 2 disables package activation without prompts.

  4. Enable Office Protected View — opens documents from email and internet in a sandboxed view that blocks OLE execution.

  5. User awareness: Train staff to be suspicious of PowerPoint or Office files received unexpectedly, especially .ppsx files that auto-run on open.

Key Details

PropertyValue
CVE ID CVE-2014-4114
Vendor / Product Microsoft — Windows
NVD Published2014-10-15
NVD Last Modified2025-10-22
CVSS 3.1 Score7.8
CVSS 3.1 VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SeverityHIGH
CWE CWE-610 — Externally Controlled Reference to a Resource in Another Sphere find similar ↗
CISA KEV Added2022-03-03
CISA KEV Deadline2022-03-24
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2022-03-24. Apply updates per vendor instructions.

Timeline

DateEvent
2014-10-13iSIGHT Partners discloses zero-day exploitation to Microsoft; 'Sandworm' campaign publicly named
2014-10-14Microsoft Security Bulletin MS14-060 released (out-of-band); CVE-2014-4114 patched
2014-10-15CVE-2014-4114 published by NVD
2014-10-21Bypass of MS14-060 discovered; CVE-2014-6352 assigned; additional patch required
2022-03-03Added to CISA Known Exploited Vulnerabilities catalog
2022-03-24CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2014-4114 Vulnerability Database
CISA KEV Catalog Entry US Government
Microsoft Security Bulletin MS14-060 — Vulnerability in Windows OLE Could Allow Remote Code Execution Vendor Advisory
iSIGHT Partners: CVE-2014-4114 — The Sandworm Zero Day Security Research

Last updated: 2026-05-24

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML