Cyber Resilience

CVE-2014-0160

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 07 April 2014

Published
07 April 2014
Modified
21 April 2026
KEV Added
04 May 2022
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 1.0000 100.0th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2014-0160 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Mitel Micollab. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability CVE-2014-0160 is a buffer over-read (CWE-125) in the TLS and DTLS implementations of OpenSSL versions 1.0.1 through 1.0.1f. It stems from improper handling of Heartbeat Extension packets in the files d1_both.c and t1_lib.c, which fails to validate the length of incoming packets before reading from process memory.

Remote attackers with network access can exploit the flaw by sending specially crafted Heartbeat requests, triggering an out-of-bounds read that discloses up to 64 KB of sensitive data such as private keys, session cookies, or other process memory contents. The attack requires no authentication and can be repeated to increase the volume of leaked data, as reflected in the CVSS 7.5 score emphasizing high confidentiality impact without affecting integrity or availability.

Advisories and patches referenced in the provided URLs, including the OpenSSL git commit 96db9023b881d7cd9f379b0c154650d6c108e9a3, indicate that the issue is resolved by upgrading to OpenSSL 1.0.1g, with distribution-specific guidance such as MGASA-2014-0165 recommending immediate updates to the patched package.

EU & UK References

Vulnerability details

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated…

more

by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.

CWE(s)
KEV Date Added
04 May 2022

Related Threats

CVEs Like This One

CVE-2025-54309Same product class: managed file transferboth on KEV
CVE-2023-34362Same product class: managed file transferboth on KEV
CVE-2025-10035Same product class: managed file transferboth on KEV
CVE-2023-0669Same product class: managed file transferboth on KEV
CVE-2021-4034Same product: Canonical Ubuntu Linuxboth on KEV
CVE-2026-3055Shared CWE-125both on KEV
CVE-2025-22226Shared CWE-125both on KEV
CVE-2025-24991Shared CWE-125both on KEV
CVE-2023-48795Same product: Debian Debian Linux
CVE-2023-4911Same product: Canonical Ubuntu Linuxboth on KEV

Affected Assets

openssl
openssl
1.0.1 — 1.0.1g
filezilla-project
filezilla server
≤ 0.9.44
siemens
application processing engine firmware
2.0
siemens
cp 1543-1 firmware
1.1
siemens
simatic s7-1500 firmware
1.5
siemens
simatic s7-1500t firmware
1.5
siemens
elan-8.2
≤ 8.3.3
siemens
wincc open architecture
3.12
intellian
v100 firmware
1.20, 1.21, 1.24
intellian
v60 firmware
1.15, 1.25
+18 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely identification and installation of the OpenSSL 1.0.1g patch that eliminates the Heartbeat buffer over-read.

prevent

Mandates validation of incoming Heartbeat Extension packet lengths, exactly the missing check in d1_both.c and t1_lib.c that enables the over-read.

prevent

Requires memory-protection mechanisms that can limit the impact of out-of-bounds reads on sensitive process memory such as private keys.

References