Cyber Resilience

CVE-2014-1812

HighCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 14 May 2014

Published
14 May 2014
Modified
22 April 2026
KEV Added
03 November 2021
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.7463 98.9th percentile
Risk Priority 82 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2014-1812 is a high-severity Insufficiently Protected Credentials (CWE-522) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 1.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is an elevation of privilege flaw in the Group Policy implementation on Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2. It stems from improper handling of password distribution in Group Policy Preferences, allowing credentials stored in SYSVOL to be accessed by unauthorized parties, and is tracked under CWE-255 and CWE-522.

Remote authenticated users with access to the SYSVOL share can exploit the issue to retrieve sensitive credential information and subsequently obtain elevated privileges on affected systems. The flaw was actively exploited in the wild as of May 2014.

Microsoft security bulletin MS14-025 and the associated Security Research & Defense blog post describe an update that removes the ability to deploy passwords via Group Policy Preferences, recommending administrators cease using this feature and transition to more secure alternatives such as LAPS or scheduled tasks with proper permissions. The update is available through standard Windows Update channels for the listed platforms.

The vulnerability appears in the CISA Known Exploited Vulnerabilities catalog, confirming real-world exploitation activity.

EU & UK References

Vulnerability details

The Group Policy implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 does not properly handle distribution of passwords, which allows remote…

more

authenticated users to obtain sensitive credential information and consequently gain privileges by leveraging access to the SYSVOL share, as exploited in the wild in May 2014, aka "Group Policy Preferences Password Elevation of Privilege Vulnerability."

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows 7
all versions
microsoft
windows 8
all versions
microsoft
windows 8.1
all versions
microsoft
windows server 2008
all versions, r2
microsoft
windows server 2012
all versions, r2
microsoft
windows vista
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires secure generation, storage, and distribution of authenticators, eliminating the GPP plaintext-password storage in SYSVOL that enables the described credential theft.

prevent

Enforces access restrictions on SYSVOL so that only authorized principals can read Group Policy files, blocking the remote authenticated user vector.

prevent

Mandates prompt application of the MS14-025 update that removes the vulnerable password-deployment capability in Group Policy Preferences.

References