CVE-2017-14355

HIGH

HPE Connected Backup <8.8.6 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-14355. PoCs published by Peter Lapp.

AI-analyzed exploit summary This exploit leverages a privilege escalation vulnerability in HP Connected Backup by abusing the backup and restore functionality to replace the sticky keys binary (sethc.exe) with cmd.exe, allowing an attacker to gain a SYSTEM shell via the sticky keys feature.

Description

A potential security vulnerability has been identified in HPE Connected Backup versions 8.6 and 8.8.6. The vulnerability could be exploited locally to allow escalation of privilege.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Peter Lapp · pythonlocalwindows
https://www.exploit-db.com/exploits/43857

This exploit leverages a privilege escalation vulnerability in HP Connected Backup by abusing the backup and restore functionality to replace the sticky keys binary (sethc.exe) with cmd.exe, allowing an attacker to gain a SYSTEM shell via the sticky keys feature.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: HP Connected Backup version 8.8.2.0
No auth needed
Prerequisites: Local access to the target system · HP Connected Backup service running · Ability to execute commands on the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/101270
Mailing List mailing-list x_refsource_bugtraq
http://seclists.org/bugtraq/2017/Oct/23
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/43857/

Scores

CVSS v3 7.8
EPSS 0.0164
EPSS Percentile 73.3%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

Status published
Products (2)
microfocus/connected_backup 8.6
microfocus/connected_backup 8.8.6
Published Dec 05, 2017
Tracked Since Feb 18, 2026