CVE-2014-6324

HIGH KEV

Microsoft Windows - Privilege Escalation

Title source: llm

Exploitation Summary

CVE-2014-6324 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 25, 2022. EIP tracks 3 public exploits from researchers including Sylvain Monne, dark-vex, Tom Maddock, Sylvain Monne, juan vazquez, including a Metasploit module auxiliary/admin/kerberos/ms14_068_kerberos_checksum.

AI-analyzed exploit summary This exploit leverages CVE-2014-6324 (MS14-068) to forge Kerberos tickets, allowing privilege escalation in Active Directory environments. It manipulates PAC validation to grant arbitrary domain privileges.

Description

The Kerberos Key Distribution Center (KDC) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote authenticated domain users to obtain domain administrator privileges via a forged signature in a ticket, as exploited in the wild in November 2014, aka "Kerberos Checksum Vulnerability."

Exploits (3)

exploitdb WORKING POC VERIFIED

by Sylvain Monne · pythonremotewindows

https://www.exploit-db.com/exploits/35474

View Code ZIP pw:eip

This exploit leverages CVE-2014-6324 (MS14-068) to forge Kerberos tickets, allowing privilege escalation in Active Directory environments. It manipulates PAC validation to grant arbitrary domain privileges.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Complex

Reliability

Reliable

Target: Microsoft Windows Kerberos (Active Directory)

Auth required

Prerequisites: Valid domain user credentials · Domain SID · Access to domain controller

MITRE ATT&CK

T1558.003 - Kerberoasting T1550.003 - Pass the Ticket

devstral-2 · analyzed Feb 16, 2026 Full analysis →

github WORKING POC 2 stars

by dark-vex · pythonpoc

https://github.com/dark-vex/CVE-PoC-collection/tree/master/CVE-2014-6324-MS14-068-Kerberos

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2014-6324 (MS14-068), a Kerberos vulnerability allowing privilege escalation in Active Directory. The exploit manipulates Kerberos tickets to grant domain admin privileges to a user account.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows Kerberos (Active Directory Domain Controllers)

Auth required

Prerequisites: Valid domain user credentials · Domain SID of the target user · Network access to the domain controller

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Feb 27, 2026 Full analysis →

metasploit WORKING POC

by Tom Maddock, Sylvain Monne, juan vazquez · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/kerberos/ms14_068_kerberos_checksum.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2014-6324 (MS14-068) by forging a Privilege Attribute Certificate (PAC) in Kerberos TGS requests to escalate domain user privileges to Domain Administrator. It generates a TGT ticket with a forged PAC and exports it to a MIT Kerberos Credential Cache file.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Kerberos implementation (Windows Server 2008 and others)

Auth required

Prerequisites: Valid domain user credentials · Domain SID and user RID · Network access to the domain controller

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1212 - Exploitation for Credential Access T1558.001 - Golden Ticket

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8

Core References

Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1031237

Mailing List, Third Party Advisory vendor-advisory x_refsource_hp

http://marc.info/?l=bugtraq&m=142350249315918&w=2

Not Applicable, Vendor Advisory x_refsource_confirm

http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx

Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/70958

Patch, Vendor Advisory vendor-advisory x_refsource_ms

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-068

Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert

http://www.us-cert.gov/ncas/alerts/TA14-323A

Broken Link third-party-advisory x_refsource_secunia

http://secunia.com/advisories/62556

Third Party Advisory, US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2014-6324

Scores

CVSS v3 8.8

EPSS 0.9035

EPSS Percentile 99.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2022-03-25

VulnCheck KEV 2014-11-18

InTheWild.io 2014-11-18

ENISA EUVD EUVD-2014-6208

Status published

Products (8)

microsoft/windows_7

microsoft/windows_8

microsoft/windows_8.1

microsoft/windows_server_2003

microsoft/windows_server_2008

microsoft/windows_server_2008 r2 sp1 (2 CPE variants)

microsoft/windows_server_2012

microsoft/windows_server_2012 r2

Published Nov 18, 2014

KEV Added Mar 25, 2022

Tracked Since Feb 18, 2026