Cyber Resilience

CVE-2014-4123

HighCISA KEVActive ExploitationEUVD Exploited

Published: 15 October 2014

Published
15 October 2014
Modified
21 April 2026
KEV Added
25 May 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.5724 98.2th percentile
Risk Priority 72 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2014-4123 is a high-severity an unspecified weakness vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 1.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).

Deeper analysis

Microsoft Internet Explorer versions 7 through 11 contain an elevation of privilege vulnerability, tracked as CVE-2014-4123, that is distinct from the related issue CVE-2014-4124. The flaw permits remote attackers to obtain higher privileges when a user visits a specially crafted web site, carrying a CVSS 3.1 base score of 8.8 reflecting network attack vector, low complexity, and high impact on confidentiality, integrity, and availability.

An attacker can exploit the vulnerability by hosting or compromising a malicious web site and luring a victim to visit it; successful exploitation grants the attacker the ability to run arbitrary code with the privileges of the current user. The issue was observed being exploited in the wild during October 2014.

Microsoft addressed the vulnerability in security bulletin MS14-056, with additional details provided in the October 2014 Security Update blog post and vendor advisories such as Secunia 60968.

The vulnerability saw active exploitation shortly after disclosure, underscoring the need for prompt application of the available patches across supported Internet Explorer installations.

EU & UK References

Vulnerability details

Microsoft Internet Explorer 7 through 11 allows remote attackers to gain privileges via a crafted web site, aka "Internet Explorer Elevation of Privilege Vulnerability," as exploited in the wild in October 2014, a different vulnerability than CVE-2014-4124.

CWE(s)
KEV Date Added
25 May 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
internet explorer
10, 11, 7, 8, 9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the MS14-056 security update that Microsoft released to eliminate the EoP flaw in IE 7-11.

prevent

Enforces malicious-code protections (e.g., browser sandboxing, script blocking, URL filtering) that can stop the crafted site from delivering the exploit payload.

prevent

Limits the privileges of the IE process and user account, reducing the impact of successful EoP to the current user context.

References