CVE-2014-1812
CVE-2014-1812 is a high-severity vulnerability in Microsoft Windows 7 with a CVSS 3.x base score of 8.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-255.
Key facts
- Severity: High (CVSS 3.x base score 8.8)
- CVSS v2: 9.0
- EPSS exploit prediction: 65% (99th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2021-11-03)
- EU (EUVD) id: EUVD-2014-1886
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2021-11-03)
- Weakness: CWE-255
- Affected product: Microsoft Windows 7
- Published:
- Last modified:
Description
The Group Policy implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 does not properly handle distribution of passwords, which allows remote authenticated users to obtain sensitive credential information and consequently gain privileges by leveraging access to the SYSVOL share, as exploited in the wild in May 2014, aka "Group Policy Preferences Password Elevation of Privilege Vulnerability."
Microsoft Group Policy Preferences Password Leak in SYSVOL (CVE-2014-1812)
AI-generated analysis based on the vulnerability data on this page.
Summary
CVE-2014-1812 is a credential disclosure vulnerability in Microsoft Windows Group Policy Preferences. When administrators use Group Policy Preferences to set local account passwords, the credentials are stored in XML files within the domain's SYSVOL share. These passwords are encrypted with a hardcoded AES key that was published by Microsoft, making decryption trivial for any domain user with read access to SYSVOL.
Background
Group Policy Preferences (GPP) was introduced in Windows Server 2008 as a way to configure and deploy settings across Active Directory domains, including the creation of local user accounts and password changes. These preference files are stored in the SYSVOL share, which is replicated to all domain controllers and readable by all authenticated domain users. In May 2014, it was discovered that passwords configured through GPP were protected by reversible AES encryption using a publicly documented key.
Root Cause
This vulnerability stems from CWE-255: Credentials Management Issues. The implementation relied on a static, hardcoded AES encryption key to protect passwords stored in XML files on a share accessible to all authenticated users. Because the key was published in Microsoft documentation, the encryption provided no meaningful security boundary. Any authenticated domain user could read the XML files from SYSVOL and decrypt the embedded passwords, effectively bypassing the intended access control.
Impact
With a CVSS v2 score of 9.0 and a CVSS v3.1 score of 8.8, this vulnerability is rated as high severity. The metrics reflect that successful exploitation requires only low privileges (authenticated domain user) and low attack complexity, with network as the attack vector. The impact is complete across confidentiality, integrity, and availability: an attacker who obtains decrypted credentials can compromise local administrator accounts, move laterally across systems, and potentially gain domain-level privileges.
Exploitation Walkthrough
Note: This section is provided for defensive awareness only. The exploitation of this vulnerability against systems without authorization is illegal and unethical.
Attackers typically follow this pattern:
- Enumerate the SYSVOL share on a domain controller for GPP XML files (commonly found in
\\<domain>\SYSVOL\<domain>\Policies\). - Identify XML files containing the
cpasswordattribute, such asGroups.xml,ScheduledTasks.xml,Services.xml, orDataSources.xml. - Extract the
cpasswordvalue, which is the AES-encrypted password string. - Decrypt the
cpasswordusing the publicly known AES key. This yields the plaintext password. - Use the recovered credentials to authenticate to affected systems, typically as a local administrator, enabling lateral movement and privilege escalation.
Affected and Patched Versions
This vulnerability affects:
- Windows Vista SP2
- Windows Server 2008 SP2 and R2 SP1
- Windows 7 SP1
- Windows 8
- Windows 8.1
- Windows Server 2012 Gold and R2
Microsoft addressed this in MS14-025, released on May 13, 2014. The update removed the ability to set passwords via Group Policy Preferences. For environments where patching is not possible, the recommended approach is to remove all GPP password entries and rotate any credentials that were previously deployed through this mechanism.
Remediation
- Apply MS14-025: Install the security update from Microsoft that removes password configuration options from Group Policy Preferences.
- Remove existing GPP passwords: Delete any
cpasswordentries from GPP XML files in SYSVOL and replace them with alternative credential management approaches. - Rotate compromised credentials: Any password ever deployed through GPP should be considered compromised and changed immediately.
- Adopt Local Administrator Password Solution (LAPS): Use Microsoft LAPS to manage unique local administrator passwords across domain-joined machines, rather than deploying shared passwords via Group Policy.
- Compensating controls: Restrict SYSVOL access to the minimum necessary, implement Group Policy filtering, and monitor for unauthorized access to the SYSVOL share.
Detection
- File analysis: Scan GPP XML files in SYSVOL for the presence of
cpasswordattributes. A non-emptycpasswordindicates a stored encrypted password. - Event logging: Monitor Windows Event Logs for suspicious authentication attempts using recovered local administrator credentials.
- Network monitoring: Alert on lateral movement patterns, such as pass-the-hash or remote service creation events, following authentication with known local admin accounts.
- SIEM queries: Create rules to detect access to SYSVOL shares from non-administrative workstations or at unusual times.
Assessment
CVE-2014-1812 remains a highly relevant vulnerability over a decade after disclosure. With an EPSS score of 0.65117 and a percentile of 0.99157, it sits in the top tier of exploited vulnerabilities and is included in the CISA Known Exploited Vulnerabilities (KEV) catalog since November 3, 2021. It has also been observed in ransomware operations. The key lesson is that reversible encryption of credentials—especially when the key is public—must never be treated as a security control. Organizations should treat any password ever deployed through GPP as potentially compromised, regardless of when the vulnerability was patched.
References
Frequently asked questions
- What is CVE-2014-1812?
- The Group Policy implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 does not properly handle distribution of passwords, which allows remote authenticated users to obtain sensitive credential information and consequently gain privileges by leveraging access to the SYSVOL share, as exploited in the wild in May 2014, aka "Group Policy Preferences Password Elevation of Privilege Vulnerability."
- How severe is CVE-2014-1812?
- CVE-2014-1812 has a CVSS 3.x base score of 8.8, rated high severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2014-1812 being actively exploited?
- Yes. CVE-2014-1812 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2014-1812?
- CVE-2014-1812 primarily affects Microsoft Windows 7. In total, 9 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2014-1812?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2014-1812 have an EU (EUVD) identifier?
- Yes. CVE-2014-1812 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2014-1886. It is also flagged as exploited in the EUVD (since 2021-11-03).
- When was CVE-2014-1812 published?
- CVE-2014-1812 was published on 2014-05-14 and last updated on 2026-06-17.
References
- http://blogs.technet.com/b/srd/archive/2014/05/13/ms14-025-an-update-for-group-policy-preferences.aspx
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-025
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2014-1812
Affected products (9)
- cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_8:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*
- cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
- cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*
More vulnerabilities in Microsoft Windows 7
- CVE-2020-1467 — Critical (CVSS 10.0): An elevation of privilege vulnerability exists when Windows improperly handles hard links. An attacker who successfully…
- CVE-2015-2373 — Critical (CVSS 10.0): The Remote Desktop Protocol (RDP) server service in Microsoft Windows 7 SP1, Windows 8, and Windows Server 2012 allows…
- CVE-2015-0014 — Critical (CVSS 10.0): Buffer overflow in the Telnet service in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2…
- CVE-2014-6321 — Critical (CVSS 10.0): Schannel in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1,…
- CVE-2013-3195 — Critical (CVSS 10.0): The DSA_InsertItem function in Comctl32.dll in the Windows common control library in Microsoft Windows XP SP2, Windows…
- CVE-2013-3175 — Critical (CVSS 10.0): Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1,…
All CVEs affecting Microsoft Windows 7 →
Other CWE-255 (Credentials Management Errors) vulnerabilities
- CVE-2016-0898 — Critical (CVSS 10.0): MySQL for PCF tiles 1.7.x before 1.7.10 were discovered to log the AWS access key in plaintext. These credentials were…
- CVE-2015-7906 — Critical (CVSS 10.0): LOYTEC LIP-3ECTB 6.0.1, LINX-100, LVIS-3E100, and LIP-ME201 devices allow remote attackers to read a password-hash…
- CVE-2015-7856 — Critical (CVSS 10.0): OpenNMS has a default password of rtc for the rtc account, which makes it easier for remote attackers to obtain access…
- CVE-2014-9736 — Critical (CVSS 10.0): GE Healthcare Centricity Clinical Archive Audit Trail Repository has a default password of initinit for the (1) SSL key…
- CVE-2014-7233 — Critical (CVSS 10.0): GE Healthcare Precision THUNIS-800+ has a default password of (1) 1973 for the factory default System Utilities menu,…
- CVE-2014-7232 — Critical (CVSS 10.0): GE Healthcare Discovery XR656 and XR656 G2 has a password of (1) 2getin for the insite user, (2) 4$xray for the xruser…
Browse all CWE-255 (Credentials Management Errors) vulnerabilities →