Cyber Resilience

CVE-2014-2817

HighCISA KEVActive ExploitationEUVD Exploited

Published: 12 August 2014

Published
12 August 2014
Modified
22 April 2026
KEV Added
25 May 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.2906 96.7th percentile
Risk Priority 55 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2014-2817 is a high-severity an unspecified weakness vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 3.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).

Deeper analysis

Microsoft Internet Explorer versions 6 through 11 are affected by CVE-2014-2817, an elevation of privilege vulnerability that can be triggered when a user visits a specially crafted website. The flaw is tracked under the alias "Internet Explorer Elevation of Privilege Vulnerability" and carries a CVSS 3.1 base score of 8.8 reflecting network attack vector, low complexity, and no required privileges.

Remote attackers can exploit the issue by serving malicious content that executes in the context of the current user, resulting in full compromise of confidentiality, integrity, and availability on the affected system. Successful exploitation requires user interaction such as clicking a link or viewing a page in Internet Explorer.

Microsoft security bulletin MS14-051 addresses the vulnerability and supplies the corresponding security updates for supported versions of Internet Explorer. The bulletin is referenced alongside related advisories on SecurityFocus and SecurityTracker for additional patch and workaround guidance.

EU & UK References

Vulnerability details

Microsoft Internet Explorer 6 through 11 allows remote attackers to gain privileges via a crafted web site, aka "Internet Explorer Elevation of Privilege Vulnerability."

CWE(s)
KEV Date Added
25 May 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
internet explorer
10, 11, 6, 7, 8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the MS14-051 security update that eliminates the EoP flaw in IE 6-11.

prevent

Establishes usage restrictions and control of mobile code (scripts, active content) delivered by crafted websites that trigger the vulnerability.

prevent

Limits privileges available to the IE process, reducing the impact of successful exploitation to the current user context.

References