CVE-2014-1812
Published: 14 May 2014
Summary
CVE-2014-1812 is a high-severity Insufficiently Protected Credentials (CWE-522) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 1.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability is an elevation of privilege flaw in the Group Policy implementation on Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2. It stems from improper handling of password distribution in Group Policy Preferences, allowing credentials stored in SYSVOL to be accessed by unauthorized parties, and is tracked under CWE-255 and CWE-522.
Remote authenticated users with access to the SYSVOL share can exploit the issue to retrieve sensitive credential information and subsequently obtain elevated privileges on affected systems. The flaw was actively exploited in the wild as of May 2014.
Microsoft security bulletin MS14-025 and the associated Security Research & Defense blog post describe an update that removes the ability to deploy passwords via Group Policy Preferences, recommending administrators cease using this feature and transition to more secure alternatives such as LAPS or scheduled tasks with proper permissions. The update is available through standard Windows Update channels for the listed platforms.
The vulnerability appears in the CISA Known Exploited Vulnerabilities catalog, confirming real-world exploitation activity.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2014-1886
Vulnerability details
The Group Policy implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 does not properly handle distribution of passwords, which allows remote…
more
authenticated users to obtain sensitive credential information and consequently gain privileges by leveraging access to the SYSVOL share, as exploited in the wild in May 2014, aka "Group Policy Preferences Password Elevation of Privilege Vulnerability."
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires secure generation, storage, and distribution of authenticators, eliminating the GPP plaintext-password storage in SYSVOL that enables the described credential theft.
Enforces access restrictions on SYSVOL so that only authorized principals can read Group Policy files, blocking the remote authenticated user vector.
Mandates prompt application of the MS14-025 update that removes the vulnerable password-deployment capability in Group Policy Preferences.