cbcvebase.
CVE-2014-1812
published 2014-05-14

CVE-2014-1812: The Group Policy implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server…

PriorityP190high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
64.31%
99.1th percentile
The Group Policy implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 does not properly handle distribution of passwords, which allows remote authenticated users to obtain sensitive credential information and consequently gain privileges by leveraging access to the SYSVOL share, as exploited in the wild in May 2014, aka "Group Policy Preferences Password Elevation of Privilege Vulnerability."

Affected

2 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008
microsoftwindows_server_2012

Detection & IOCsextracted from sources · hover to see the quote

  • Attackers exploit this vulnerability by accessing the SYSVOL share on domain controllers to retrieve Group Policy Preferences (GPP) XML files containing encrypted (cpassword) credentials
  • Detection focus: Monitor authenticated SMB access to the SYSVOL share, particularly enumeration of GPP XML files (Groups.xml, Services.xml, Scheduledtasks.xml, DataSources.xml, Printers.xml) for cpassword fields
  • This vulnerability was actively exploited in the wild; treat any access to SYSVOL GPP XML files by non-administrative or unexpected accounts as high-priority alert
  • An authenticated attacker decrypts cpassword values from GPP files to escalate privileges on the domain; hunt for use of the known static AES-256 key (published by Microsoft) to decrypt cpassword fields in memory or tooling
  • ·Vulnerability affects a broad range of Windows versions; patching scope should cover all listed platforms
  • ·The root cause is improper handling of password distribution via Group Policy Preferences — any GPP policy storing passwords (e.g., local admin, scheduled tasks, drive maps, services) is affected and should be audited and removed

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.