CVE-2014-1812
Summary
| CVE | CVE-2014-1812 |
|---|---|
| State | PUBLISHED |
| Assigner | microsoft |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2014-05-14 11:13:06 UTC |
| Updated | 2026-04-22 16:44:46 UTC |
| Description | The Group Policy implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 does not properly handle distribution of passwords, which allows remote authenticated users to obtain sensitive credential information and consequently gain privileges by leveraging access to the SYSVOL share, as exploited in the wild in May 2014, aka "Group Policy Preferences Password Elevation of Privilege Vulnerability." |
Risk And Classification
Primary CVSS: v3.1 8.8 HIGH from ADP
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS: 0.830890000 probability, percentile 0.992640000 (date 2026-04-22)
CISA KEV: Listed on 2021-11-03; due 2022-05-03; ransomware use Known
Problem Types: CWE-255 | CWE-522 | n/a | CWE-522 CWE-522 Insufficiently Protected Credentials
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | DECLARED | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | Secondary | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| 2.0 | [email protected] | Primary | 9 | AV:N/AC:L/Au:S/C:C/I:C/A:C |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS v2.0 Breakdown
Access Vector
NetworkAccess Complexity
LowAuthentication
SingleConfidentiality
CompleteIntegrity
CompleteAvailability
CompleteAV:N/AC:L/Au:S/C:C/I:C/A:C
CISA Known Exploited Vulnerability
| Vendor | Microsoft |
|---|---|
| Product | Windows |
| Name | Microsoft Windows Group Policy Preferences Password Privilege Escalation Vulnerability |
| Required Action | Apply updates per vendor instructions. |
| Notes | https://nvd.nist.gov/vuln/detail/CVE-2014-1812 |
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Microsoft | Windows 7 | - | sp1 | All | All |
| Operating System | Microsoft | Windows 8 | - | All | All | All |
| Operating System | Microsoft | Windows 8.1 | - | All | All | All |
| Operating System | Microsoft | Windows Server 2008 | - | sp2 | All | All |
| Operating System | Microsoft | Windows Server 2008 | r2 | sp1 | All | All |
| Operating System | Microsoft | Windows Server 2008 | r2 | sp1 | All | All |
| Operating System | Microsoft | Windows Server 2012 | - | All | All | All |
| Operating System | Microsoft | Windows Server 2012 | r2 | All | All | All |
| Operating System | Microsoft | Windows Vista | - | sp2 | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.cisa.gov/known-exploited-vulnerabilities-catalog | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | www.cisa.gov | US Government Resource |
| Microsoft Security Bulletin MS14-025 - Important | Microsoft Docs | af854a3a-2127-422b-91ae-364da2661108 | docs.microsoft.com | Patch, Vendor Advisory |
| MS14-025: An Update for Group Policy Preferences - Security Research & Defense - Site Home - TechNet Blogs | af854a3a-2127-422b-91ae-364da2661108 | blogs.technet.com | Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
| CISA Known Exploited Vulnerabilities catalog | CISA | www.cisa.gov | kev |
No vendor comments have been submitted for this CVE.
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2021-11-03T00:00:00.000Z | CVE-2014-1812 added to CISA KEV |
There are currently no legacy QID mappings associated with this CVE.