Search
On this page ▾

KEV 2014

34 CISA Known Exploited Vulnerabilities from 2014

Critical 9

July 2025

CVE-2014-3931

MRLG Looking Glass — Unauthenticated Remote Buffer Overflow Enables Arbitrary Code Execution on Internet-Facing Network Diagnostic Servers

CVSS 9.8

September 2024

CVE-2014-0497

Adobe Flash Player — Zero-Day Integer Underflow in ActionScript Bytecode Interpreter Exploited in Targeted Attacks Before Patch

CVSS 9.8

September 2023

CVE-2014-8361

Realtek SDK miniigd — Unauthenticated SOAP Command Injection via NewInternalClient Enables RCE on Millions of Home Routers and IoT Devices

CVSS 9.8

May 2022

CVE-2014-0546

Adobe Reader/Acrobat XI — Protected Mode Sandbox Escape Enables Native Code Execution Outside the PDF Sandbox

CVSS 9.8

April 2022

CVE-2014-0780

InduSoft Web Studio — Unauthenticated Directory Traversal in NTWebServer Exposes Admin Credentials in ICS/SCADA Environments

CVSS 9.8

March 2022

CVE-2014-6287

Rejetto HFS 2.3b — Null Byte Macro Injection in Search Enables Unauthenticated Remote Code Execution; Staple of Ransomware and Malware Campaigns

CVSS 9.8

January 2022

CVE-2014-1776

Internet Explorer 6–11 — Operation Clandestine Fox: APT3 Zero-Day VML Use-After-Free Targets All IE Versions; Emergency OOB Patch

CVSS 9.8
CVE-2014-6271

GNU Bash 'Shellshock' — Environment Variable Function Definition Parsing Allows Remote Code Execution via CGI, DHCP, and SSH

CVSS 9.8
CVE-2014-7169

GNU Bash — Shellshock Incomplete Fix: Trailing String Execution Still Possible After CVE-2014-6271 Patch 25; Requires Patch 26+

CVSS 9.8

High 23

October 2025

CVE-2014-6278

GNU Bash — Shellshock Variant: Additional Environment Variable Injection Code Path Still Exploitable After Patches 25–26

CVSS 8.8

September 2024

CVE-2014-0502

Adobe Flash Player — Operation GreedyWonk: Zero-Day Double Free Used in Watering Hole Attacks Against Defense Think Tanks

CVSS 8.8

May 2024

CVE-2014-100005

D-Link DIR-600 — No-Auth CSRF Allows Hijacking Admin Session to Change DNS, Firewall Rules, and Router Configuration

CVSS 8.8

May 2022

CVE-2014-2817

Internet Explorer — Zone Elevation Sandbox Escape Enables Privilege Escalation from Protected Mode; Patched MS14-051

CVSS 8.8
CVE-2014-4123

Internet Explorer — Zone/Sandbox Privilege Escalation via Crafted Web Site; Sandbox Escape Component in Exploit Chains; Patched MS14-056

CVSS 8.8
CVE-2014-4148

Windows Win32k TrueType Font — Zero-Day Kernel Font Parsing RCE via Malicious Office Documents; Paired with CVE-2014-4113 in APT Campaigns

CVSS 8.8
CVE-2014-8439

Adobe Flash Player — Dereferenced Pointer in SWF Parsing Enables Remote Code Execution; Patched APSB14-26 (November 2014); Flash EOL December 2020

CVSS 8.8
CVE-2014-0322

Internet Explorer 9/10 — Operation SnowMan: VBScript Use-After-Free Enables Drive-By RCE Against US Military Sites

CVSS 8.8
CVE-2014-3153

Linux Kernel — 'Towelroot': futex_requeue() Privilege Escalation Enables One-Click Android Root and Linux Kernel Exploit

CVSS 7.8
CVE-2014-4077

Windows IME Japanese — IMJPDCT.EXE Sandbox Escape Enables Privilege Escalation from IE Enhanced Protected Mode; Patched MS14-078

CVSS 7.8
CVE-2014-4113

Windows Win32k — Zero-Day Local Privilege Escalation Paired with IE/Flash RCE in APT Campaigns; Patched MS14-058

CVSS 7.8
CVE-2014-0160

OpenSSL 'Heartbleed' — TLS Heartbeat Extension Bounds Check Missing Allows Server Memory Read Without Authentication

CVSS 7.5

April 2022

CVE-2014-9163

Adobe Flash Player — Stack Buffer Overflow in SWF Handling Enables Code Execution; Patched APSB14-27 (December 2014); Flash EOL December 2020

CVSS 7.8

March 2022

CVE-2014-6324

Windows Kerberos KDC — MS14-068: Any Domain User Can Forge a Kerberos PAC Claiming Domain Admin Membership

CVSS 8.8
CVE-2014-6332

Windows OleAut32 — 'God Mode': VBScript SafeArray Memory Corruption in IE Enables Drive-By RCE Bypassing ASLR and DEP

CVSS 8.8
CVE-2014-0496

Adobe Reader/Acrobat XI/X — JavaScript Engine Use-After-Free Allows Remote Code Execution via Malicious PDF

CVSS 8.8
CVE-2014-3120

Elasticsearch — Default Dynamic Scripting Allows Unauthenticated MVEL/Java Code Execution via Search API

CVSS 8.1
CVE-2014-4114

Windows OLE — 'Sandworm' Zero-Day: Remote OLE Package Loading via Office Files Enables RCE Without Code Execution Vulnerabilities

CVSS 7.8
CVE-2014-0130

Ruby on Rails — Implicit Render Path Traversal Allows Arbitrary File Read via Crafted Action Name

CVSS 7.5

February 2022

CVE-2014-6352

Windows OLE — Sandworm Bypass: CVE-2014-4114 Patch Circumvented Within One Week; Second OLE RCE via Crafted OLE Object in Office Documents

CVSS 7.8
CVE-2014-1761

Microsoft Word — Sandworm Team Zero-Day: RTF Parsing Memory Corruption Used in Spear-Phishing Against Ukraine and NATO Targets

CVSS 7.8
CVE-2014-4404

Apple OS X / iOS / tvOS — IOHIDFamily Heap Overflow Enables Kernel Privilege Escalation; Local User to Root via Malicious App

CVSS 7.8

November 2021

CVE-2014-1812

Windows Active Directory GPP — Plaintext Admin Passwords in SYSVOL Encrypted with Microsoft-Published AES Key; Domain-Wide Credential Exposure

CVSS 8.8

Medium 2

November 2024

CVE-2014-2120

Cisco ASA WebVPN — Reflected XSS in Login Page Enables Credential Harvesting and Session Hijacking Against VPN Users

CVSS 6.1

May 2023

CVE-2014-0196

Linux Kernel TTY Subsystem — n_tty_write() Race Condition Allows Local Privilege Escalation or Denial of Service

CVSS 5.5
Gavin Hollinger & AI assembled this air-gap friendly HTML