CVE-2014-6321
published 2014-11-11CVE-2014-6321: Schannel in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server…
PriorityP186critical10CVSS 2.0
AVNACLAuNCCICAC
ITWVulnCheck KEV
Exploited in the wild
EPSS
95.99%
99.9th percentile
Schannel in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via crafted packets, aka "Microsoft Schannel Remote Code Execution Vulnerability."
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Client-side heap overflow: attacker sends a crafted DTLS HelloVerifyRequest with a CookieSize value larger than 32 bytes, causing a heap overflow in CSsl3TlsClientContext::DigestServerHelloVerifyRequest via memcpy into a fixed heap target (edi+0x270). ↗
- →Exploit does not require an established RDP session — a crafted DTLS packet can be sent to the server pre-authentication to trigger the server-side OOB read. ↗
- →Monitor schannel.dll for crashes or anomalous behaviour in lsass.exe, particularly call stacks involving DTLSCookieManager::ValidateCookie or CSsl3TlsClientContext::DigestServerHelloVerifyRequest. ↗
- →Inspect DTLS ClientHello packets where the CookieLength field value (0x20 / 32) does not match the actual byte length of the cookie payload — mismatched size and content is the crafted attack pattern. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fv59-6vgm-w859: Schannel in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8
ghsa_unreviewed·2022-05-13
CVE-2014-6321 [HIGH] CWE-94 GHSA-fv59-6vgm-w859: Schannel in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8
Schannel in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via crafted packets, aka "Microsoft Schannel Remote Code Execution Vulnerability."
VulnCheck
Microsoft Windows Improper Control of Generation of Code ('Code Injection')
vulncheck·2014·CVSS 10.0
CVE-2014-6321 [CRITICAL] Microsoft Windows Improper Control of Generation of Code ('Code Injection')
Microsoft Windows Improper Control of Generation of Code ('Code Injection')
Schannel in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via crafted packets, aka "Microsoft Schannel Remote Code Execution Vulnerability."
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://storage.ghost.io/c/af/a0/afa04ee3-414f-4481-8d23-7e7c146f192e/content/files/2026/03/2025YiR-report.pdf
No detection rules found.
No public exploits indexed.
Unit42
Don’t Miss A Single Threat Intelligence Update from Unit 42!
blogs_unit42·2014-12-29·CVSS 10.0
[CRITICAL] Don’t Miss A Single Threat Intelligence Update from Unit 42!
## Don’t Miss A Single Threat Intelligence Update from Unit 42!
Chad Berndtson
Published: December 29, 2014
Malware
Threat Research
419 Evolution
CoolReaper
Threat intelligence
Threat Landscape Review
Whitepaper
WireLurker
Unit 42 is the Palo Alto Networks threat intelligence team. Made up of accomplished cybersecurity researchers and industry experts, Unit 42 gathers, researches, analyzes, and provides insights into the latest cyber threats, then shares them with Palo Alto Networks customers, partners and the broader community to better protect enterprise, service provider, and government computing environments.
You can now have up-to-the-minute threat intelligence updates from Unit 42 delivered right to your inbox, as they’re posted. Click here to subscribe.
Regular researc
Unit42
Don’t Miss A Single Threat Intelligence Update from Unit 42!
blogs_unit42·2014-12-29·CVSS 10.0
[CRITICAL] Don’t Miss A Single Threat Intelligence Update from Unit 42!
Unit 42 is the Palo Alto Networks threat intelligence team. Made up of accomplished cybersecurity researchers and industry experts, Unit 42 gathers, researches, analyzes, and provides insights into the latest cyber threats, then shares them with Palo Alto Networks customers, partners and the broader community to better protect enterprise, service provider, and government computing environments.
You can now have up-to-the-minute threat intelligence updates from Unit 42 delivered right to your inbox, as they’re posted. Click here to subscribe.
Regular research analysis is posted to the Unit 42 threat intelligence blog. Unit 42 also publishes whitepapers examining, in detail, threats to mobile device ecosystems, APTs, malware attack patterns and other subjects crucial to any security practi
Unit42
DTLS Vulnerabilities in CVE-2014-6321
blogs_unit42·2014-12-10·CVSS 10.0
CVE-2014-6321 [CRITICAL] DTLS Vulnerabilities in CVE-2014-6321
Microsoft recently released a patch for a critical vulnerability in Microsoft Secure Channel (aka Schannel). This vulnerability is being referred to as MS14-066. The patch addressing CVE-2014-6321 fixed many areas within schannel.dll, including at least two vulnerabilities related to the handling of the Datagram Transport Layer Security (DTLS) protocol.
DTLS is used by Microsoft Remote Desktop Protocol (RDP) to provide communications privacy for datagram protocols. The DTLS protocol is used by Microsoft Windows Remote Desktop Gateway (RDG) to establish a secure channel between the RDG client and RDG server (described in detail in [MS_TSGU].pdf).
### DTLS Handshake
The RDG client initiates the DTLS connection by sending a ClientHello to the RDG Server. The RDG server then responds with a
Unit42
DTLS Vulnerabilities in CVE-2014-6321
blogs_unit42·2014-12-10·CVSS 10.0
CVE-2014-6321 [CRITICAL] DTLS Vulnerabilities in CVE-2014-6321
## DTLS Vulnerabilities in CVE-2014-6321
Jin Chen
Shengming Xu
Published: December 10, 2014
Threat Research
Vulnerabilities
CVE-2014-6321
Datagram Transport Layer Security
DTLS
Microsoft Remote Desktop Protocol
Microsoft Security Bulletin
Microsoft Windows
MS14-066
Remote Desktop Gateway
Schannel
Microsoft recently released a patch for a critical vulnerability in Microsoft Secure Channel (aka Schannel). This vulnerability is being referred to as MS14-066 . The patch addressing CVE-2014-6321 fixed many areas within schannel.dll, including at least two vulnerabilities related to the handling of the Datagram Transport Layer Security (DTLS) protocol.
DTLS is used by Microsoft Remote Desktop Protocol (RDP) to provide communications privacy for datagram protocols. The DTLS proto
Talos
Microsoft Update Tuesday November 2014: Fixes for 3 0-day
Vulnerabilities
blogs_talos·2014-11-11·CVSS 7.8
[HIGH] Microsoft Update Tuesday November 2014: Fixes for 3 0-day
Vulnerabilities
## Microsoft Update Tuesday November 2014: Fixes for 3 0-day
Vulnerabilities
This month Microsoft is releasing 14 security bulletins. Originally they had planned to release 16, but due to issues that emerged in late testing, two bulletins that were announced in the Advance Security Notification, MS14-068 and MS14-075, have been postponed. Of the 14 bulletins, four are considered critical, eight are important, while two are moderate. They cover a total of 33 CVEs.
We’ll start off with the four critical bulletins, for a total of 21 CVEs that can result in remote code execution:
Our first bulletin of the month is MS14-064 and fixes two vulnerabilities ( CVE-2014-6332 , CVE-2014-6352 ) in Windows Object Linking and Embedding (OLE) that could allow remote code execution. Both issues are seei
Talos
Microsoft Update Tuesday November 2014: Fixes for 3 0-day
Vulnerabilities
blogs_talos·2014-11-11·CVSS 7.8
[HIGH] Microsoft Update Tuesday November 2014: Fixes for 3 0-day
Vulnerabilities
This month Microsoft is releasing 14 security bulletins. Originally they had planned to release 16, but due to issues that emerged in late testing, two bulletins that were announced in the Advance Security Notification, MS14-068 and MS14-075, have been postponed. Of the 14 bulletins, four are considered critical, eight are important, while two are moderate. They cover a total of 33 CVEs.
We’ll start off with the four critical bulletins, for a total of 21 CVEs that can result in remote code execution:
Our first bulletin of the month is MS14-064 and fixes two vulnerabilities (CVE-2014-6332, CVE-2014-6352) in Windows Object Linking and Embedding (OLE) that could allow remote code execution. Both issues are seeing attack in the wild and can be considered 0-days. CVE-2014-6352 is a vulnerabil
arXiv
Large Language Models Are Unreliable for Cyber Threat Intelligence
arxiv_fulltext·2025-11-12
Large Language Models Are Unreliable for Cyber Threat Intelligence
## Abstract
Several recent works have argued that Large Language Models (LLMs) can be used to tame the data deluge in the cybersecurity field, by improving the automation of Cyber Threat Intelligence (CTI) tasks. This work presents an evaluation methodology that other than allowing to test LLMs on CTI tasks when using zero-shot learning, few-shot learning and fine-tuning, also allows to quantify their consistency and their confidence level. We run experiments with three state-of-the-art LLMs and a dataset of 350 threat intelligence reports and present new evidence of potential security risks in relying on LLMs for CTI. We show how LLMs cannot guarantee sufficient performance on real-size reports while also being inconsistent and overconfident. Few-shot learning and fine-tuning only partia
http://blog.beyondtrust.com/triggering-ms14-066http://marc.info/?l=bugtraq&m=142384364031268&w=2http://secunia.com/advisories/59800http://www.kb.cert.org/vuls/id/505120http://www.securityfocus.com/bid/70954http://www.securitysift.com/exploiting-ms14-066-cve-2014-6321-aka-winshock/http://www.us-cert.gov/ncas/alerts/TA14-318Ahttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-066http://blog.beyondtrust.com/triggering-ms14-066http://marc.info/?l=bugtraq&m=142384364031268&w=2http://secunia.com/advisories/59800http://www.kb.cert.org/vuls/id/505120http://www.securityfocus.com/bid/70954http://www.securitysift.com/exploiting-ms14-066-cve-2014-6321-aka-winshock/http://www.us-cert.gov/ncas/alerts/TA14-318Ahttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-066
2014-11-11
Published
Exploited in the wild