CVE-2014-1812
published 2014-05-14CVE-2014-1812: The Group Policy implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server…
PriorityP190high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
64.31%
99.1th percentile
The Group Policy implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 does not properly handle distribution of passwords, which allows remote authenticated users to obtain sensitive credential information and consequently gain privileges by leveraging access to the SYSVOL share, as exploited in the wild in May 2014, aka "Group Policy Preferences Password Elevation of Privilege Vulnerability."
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Attackers exploit this vulnerability by accessing the SYSVOL share on domain controllers to retrieve Group Policy Preferences (GPP) XML files containing encrypted (cpassword) credentials ↗
- →Detection focus: Monitor authenticated SMB access to the SYSVOL share, particularly enumeration of GPP XML files (Groups.xml, Services.xml, Scheduledtasks.xml, DataSources.xml, Printers.xml) for cpassword fields ↗
- →This vulnerability was actively exploited in the wild; treat any access to SYSVOL GPP XML files by non-administrative or unexpected accounts as high-priority alert ↗
- →An authenticated attacker decrypts cpassword values from GPP files to escalate privileges on the domain; hunt for use of the known static AES-256 key (published by Microsoft) to decrypt cpassword fields in memory or tooling ↗
- ·Vulnerability affects a broad range of Windows versions; patching scope should cover all listed platforms ↗
- ·The root cause is improper handling of password distribution via Group Policy Preferences — any GPP policy storing passwords (e.g., local admin, scheduled tasks, drive maps, services) is affected and should be audited and removed ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft Windows Group Policy Preferences Password Privilege Escalation Vulnerability
cisa·2021-11-03·CVSS 8.8
CVE-2014-1812 [HIGH] CWE-255 Microsoft Windows Group Policy Preferences Password Privilege Escalation Vulnerability
Vulnerability: Microsoft Windows Group Policy Preferences Password Privilege Escalation Vulnerability
Affected: Microsoft Windows
Microsoft Windows Active Directory contains a privilege escalation vulnerability due to the way it distributes passwords that are configured using Group Policy preferences. An authenticated attacker who successfully exploits the vulnerability could decrypt the passwords and use them to elevate privileges on the domain.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2014-1812
Remediation Due Date: 2022-05-03
GHSA
GHSA-cm2m-vv5g-hpc2: The Group Policy implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8
ghsa_unreviewed·2022-05-14
CVE-2014-1812 [HIGH] CWE-522 GHSA-cm2m-vv5g-hpc2: The Group Policy implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8
The Group Policy implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 does not properly handle distribution of passwords, which allows remote authenticated users to obtain sensitive credential information and consequently gain privileges by leveraging access to the SYSVOL share, as exploited in the wild in May 2014, aka "Group Policy Preferences Password Elevation of Privilege Vulnerability."
VulnCheck
Microsoft Windows Group Policy Preferences Password Privilege Escalation Vulnerability
vulncheck·2014·CVSS 8.8
CVE-2014-1812 [HIGH] CWE-255 Microsoft Windows Group Policy Preferences Password Privilege Escalation Vulnerability
Microsoft Windows Group Policy Preferences Password Privilege Escalation Vulnerability
Microsoft Windows Active Directory contains a privilege escalation vulnerability due to the way it distributes passwords that are configured using Group Policy preferences. An authenticated attacker who successfully exploits the vulnerability could decrypt the passwords and use them to elevate privileges on the domain.
Affected: Microsoft Windows
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://learn.microsoft.com/en-us/security-updates/SecurityBulletins/2014/ms14-025; https://www.cve.org/CVERecord?id=CVE-2014-1812; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://media.defense.go
No detection rules found.
Exploit-DB
Chkrootkit 0.49 - Local Privilege Escalation
exploitdb·2014-06-28
CVE-2014-0476 Chkrootkit 0.49 - Local Privilege Escalation
Chkrootkit 0.49 - Local Privilege Escalation
---
We just found a serious vulnerability in the chkrootkit package, which
may allow local attackers to gain root access to a box in certain
configurations (/tmp not mounted noexec).
The vulnerability is located in the function slapper() in the
shellscript chkrootkit:
#
# SLAPPER.{A,B,C,D} and the multi-platform variant
#
slapper (){
SLAPPER_FILES="${ROOTDIR}tmp/.bugtraq ${ROOTDIR}tmp/.bugtraq.c"
SLAPPER_FILES="$SLAPPER_FILES ${ROOTDIR}tmp/.unlock ${ROOTDIR}tmp/httpd \
${ROOTDIR}tmp/update ${ROOTDIR}tmp/.cinik ${ROOTDIR}tmp/.b"a
SLAPPER_PORT="0.0:2002 |0.0:4156 |0.0:1978 |0.0:1812 |0.0:2015 "
OPT=-an
STATUS=0
file_port=
if ${netstat} "${OPT}"|${egrep} "^tcp"|${egrep} "${SLAPPER_PORT}">
/dev/null 2>&1
then
STATUS=1
[ "$SYSTEM" = "Linux" ] &&
Metasploit
SMB Group Policy Preference Saved Passwords Enumeration
metasploit
SMB Group Policy Preference Saved Passwords Enumeration
SMB Group Policy Preference Saved Passwords Enumeration
Greynoiseio
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
blogs_greynoiseio·2026-02-02
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Qualys
Qualys Security Advisory: SolarWinds / FireEye | Qualys
blogs_qualys·2020-12-22
Qualys Security Advisory: SolarWinds / FireEye | Qualys
#### Qualys Researchers found Millions of devices exposed to vulnerabilities used in the stolen FireEye Red Team tools and SolarWinds Orion by analyzing the anonymized set of vulnerabilities across Qualys’ worldwide customer base
##### Qualys to offer a free 60-day integrated Vulnerability Management, Detection and Response service to help organizations quickly assess the devices impacted by SolarWinds Orion vulnerabilities, SUNBURST Trojan detections, or FireEye Red Team tools, and to remediate them and track their remediation via dynamic dashboards. Register athttps://www.qualys.com/solarhack/
On Dec 8, FireEye disclosed the theft of its Red Team assessment tools which leverage over 16 known CVE’s to exploit client environments to test and validate their security posture. FireEye also
Qualys
Qualys Security Advisory: SolarWinds / FireEye
blogs_qualys·2020-12-22
Qualys Security Advisory: SolarWinds / FireEye
## Qualys Researchers found Millions of devices exposed to vulnerabilities used in the stolen FireEye Red Team tools and SolarWinds Orion by analyzing the anonymized set of vulnerabilities across Qualys’ worldwide customer base
## Qualys to offer a free 60-day integrated Vulnerability Management, Detection and Response service to help organizations quickly assess the devices impacted by SolarWinds Orion vulnerabilities, SUNBURST Trojan detections, or FireEye Red Team tools, and to remediate them and track their remediation via dynamic dashboards. Register at https://www.qualys.com/solarhack/
On Dec 8, FireEye disclosed the theft of its Red Team assessment tools which leverage over 16 known CVE’s to exploit client environments to test and validate their security posture. FireEye also conf
Unit42
Threat Brief: FireEye Red Team Tool Breach
blogs_unit42·2020-12-11
Threat Brief: FireEye Red Team Tool Breach
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: FireEye Red Team Tool Breach
Unit 42
Published: December 10, 2020
High Profile Threats
Malware
Vulnerabilities
FireEye breach
## Executive Summary
On Dec. 8, 2020, one of the leading cybersecurity companies in the industry, FireEye, reported a breach and data exfiltration unlike any that we have seen previously. What makes this attack unique is not only the target, FireEye being a well-known cybersecurity company, but that the stolen data contains the internal, custom-crafted red-team and penetration testing tools used by the company to imitate different threat actors during customer security consultations. FireEye’s blog provided a wealth of information for defenders to implement security controls
Unit42
Threat Brief: FireEye Red Team Tool Breach
blogs_unit42·2020-12-11
Threat Brief: FireEye Red Team Tool Breach
## Executive Summary
On Dec. 8, 2020, one of the leading cybersecurity companies in the industry, FireEye, reported a breach and data exfiltration unlike any that we have seen previously. What makes this attack unique is not only the target, FireEye being a well-known cybersecurity company, but that the stolen data contains the internal, custom-crafted red-team and penetration testing tools used by the company to imitate different threat actors during customer security consultations. FireEye’s blog provided a wealth of information for defenders to implement security controls and mitigations for defense against the stolen tools. This data is being used by Palo Alto Networks to help ensure our customers are protected if the attackers choose to utilize the tools for malicious purposes.
It i
Fortinet
FireEye Red Team Tool Breach | Fortinet
blogs_fortinet·2020-12-11·CVSS 8.8
[HIGH] FireEye Red Team Tool Breach | Fortinet
PSIRT BLOGS
FireEye Red Team Tool Breach
By Carl Windsor | December 11, 2020
Executive Summary
On December 8th cyber security vendor FireEye reported a breach of their network and data exfiltration which included their internally developed Red Team tools. FireEye took the step of publishing details of these tools in a GitHub repository to allow other vendors to protect against their use by potential adversaries.
This breach has been attributed to a nation state threat actor so we do not expect to see these tools be widely abused in the wild, however with the additional information provided by FireEye, Fortinet have been able to ensure that these tools cannot be abused.
Threat Mitigation
None of the vulnerabilities disclosed as targeted in the tools were zero days, therefore FortiGuard
Qualys
Solorigate/Sunburst : Theft of Cybersecurity Tools | FireEye Breach
blogs_qualys·2020-12-10
Solorigate/Sunburst : Theft of Cybersecurity Tools | FireEye Breach
Update Jan 5, 2021 : New patching section with two new dashboard widgets showing the number of missing FireEye-related patches in your environment and the number of assets in your environment missing one of those patches.
Update Dec 23, 2020 : Added a new section on compensating controls.
Update Dec 22, 2020: FireEye disclosed the theft of their Red Team assessment tools. Hackers now have an influential collection of new techniques to draw upon.
Using Qualys VMDR, the vulnerabilities for Solorigate/SUNBURST can be prioritized for the following Real-Time Threat Indicators (RTIs):
Active Attacks
Solorigate Sunburst ( New RTI )
Original post : On December 8, 2020, FireEye disclosed theft of their Red Team assessment tools. These tools are used by FireEye to test and validate the securit
Qualys
Solorigate/Sunburst : Theft of Cybersecurity Tools | FireEye Breach | Qualys
blogs_qualys·2020-12-10
Solorigate/Sunburst : Theft of Cybersecurity Tools | FireEye Breach | Qualys
Update Jan 5, 2021: New patching section with two new dashboard widgets showing the number of missing FireEye-related patches in your environment and the number of assets in your environment missing one of those patches.
Update Dec 23, 2020: Added a new section on compensating controls.
Update Dec 22, 2020: FireEye disclosed the theft of their Red Team assessment tools. Hackers now have an influential collection of new techniques to draw upon.
Using Qualys VMDR, the vulnerabilities for Solorigate/SUNBURST can be prioritized for the following Real-Time Threat Indicators (RTIs):
- Active Attacks
- Solorigate Sunburst (New RTI)
Original post: On December 8, 2020, FireEye disclosed theft of their Red Team assessment tools. These tools are used by FireEye to test and validate the security
http://blogs.technet.com/b/srd/archive/2014/05/13/ms14-025-an-update-for-group-policy-preferences.aspxhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-025http://blogs.technet.com/b/srd/archive/2014/05/13/ms14-025-an-update-for-group-policy-preferences.aspxhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-025https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2014-1812
2014-05-14
Published
2021-11-03
Added to CISA KEV
Exploited in the wild