CVE-2014-1812

HIGH KEV RANSOMWARE

Microsoft Windows - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2014-1812 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021, with confirmed use in ransomware campaigns. EIP tracks 2 public exploits from researchers including mauricelambert, including a Metasploit module auxiliary/scanner/smb/smb_enum_gpp.

AI-analyzed exploit summary This script encrypts passwords to the Group Policy Preferences (GPP) cpassword format, which is vulnerable to decryption due to a hardcoded AES key. It is useful for creating vulnerable lab environments to test CVE-2014-1812.

Description

The Group Policy implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 does not properly handle distribution of passwords, which allows remote authenticated users to obtain sensitive credential information and consequently gain privileges by leveraging access to the SYSVOL share, as exploited in the wild in May 2014, aka "Group Policy Preferences Password Elevation of Privilege Vulnerability."

Exploits (2)

nomisec WORKING POC
by mauricelambert · poc
https://github.com/mauricelambert/gpp-encrypt

This script encrypts passwords to the Group Policy Preferences (GPP) cpassword format, which is vulnerable to decryption due to a hardcoded AES key. It is useful for creating vulnerable lab environments to test CVE-2014-1812.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Microsoft Group Policy Preferences (GPP)
No auth needed
Prerequisites: Python 3 · PyCryptodome library
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_enum_gpp.rb

This Metasploit module enumerates SMB shares for Group Policy Preference XML files containing encrypted credentials, which it decrypts using Microsoft's public AES key. It is designed to extract and report user credentials from vulnerable domain controllers.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows Group Policy Preferences (prior to MS14-025)
Auth required
Prerequisites: SMB access to the target · Valid credentials for authentication · Access to the SYSVOL share
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 8.8
EPSS 0.6431
EPSS Percentile 99.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact partial

Details

CISA KEV 2021-11-03
VulnCheck KEV 2014-05-13
InTheWild.io 2019-05-13
ENISA EUVD EUVD-2014-1886
Ransomware Use Confirmed
CWE
CWE-255 CWE-522
Status published
Products (8)
microsoft/windows_7
microsoft/windows_8
microsoft/windows_8.1
microsoft/windows_server_2008
microsoft/windows_server_2008 r2 sp1 (2 CPE variants)
microsoft/windows_server_2012
microsoft/windows_server_2012 r2
microsoft/windows_vista
Published May 14, 2014
KEV Added Nov 03, 2021
Tracked Since Feb 18, 2026