CVE-2014-0315
Description
Untrusted search path vulnerability in Windows allows local privilege escalation via trojan cmd.exe when running batch files from a directory.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Untrusted search path vulnerability in Windows allows local privilege escalation via trojan cmd.exe when running batch files from a directory.
Vulnerability
The vulnerability, identified as CVE-2014-0315, is an untrusted search path vulnerability in Microsoft Windows. It exists in the way Windows processes .bat and .cmd files when they are run from network locations or the current working directory. The affected software includes Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 [1]. Specifically, when a user runs a batch script, the system searches for cmd.exe in the current working directory before checking the system path, allowing a malicious cmd.exe placed in that directory to be executed [2].
Exploitation
An attacker must first convince a user to navigate to a directory containing a crafted .bat or .cmd file and a malicious cmd.exe [1]. The user must then run the batch file. For local exploitation, the attacker needs the ability to place files in the current working directory (e.g., via a previously compromised account or removable media). The attacker does not need network access but requires user interaction. The exploitation sequence involves the victim opening a .bat or .cmd file from a directory that also contains a trojan cmd.exe, which the system loads instead of the legitimate one, executing arbitrary code [2].
Impact
Successful exploitation allows an attacker to execute arbitrary code with the privileges of the current user. If the user has administrative rights, the attacker can gain full control of the system, leading to complete compromise of confidentiality, integrity, and availability [1]. The vulnerability is rated Important by Microsoft [1].
Mitigation
Microsoft released security update MS14-019 on April 8, 2014, to address this vulnerability [1]. The update corrects the way Windows processes .bat and .cmd files from network locations, preventing the untrusted search path behavior. Users with automatic updating enabled received the update automatically. For systems that cannot be updated, no workaround is documented, and the vulnerability is not listed in the Known Exploited Vulnerabilities (KEV) catalog [1].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
15- cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_rt:-:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:microsoft:windows_rt:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2003:-:sp2:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*+ 2 more
- cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*
- cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
- cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_xp:-:sp2:*:*:professional:*:*:*+ 1 more
- cpe:2.3:o:microsoft:windows_xp:-:sp2:*:*:professional:*:*:*
- cpe:2.3:o:microsoft:windows_xp:-:sp3:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Untrusted search path in CreateProcess() allows a rogue cmd.exe from the current working directory to be executed when launching .bat or .cmd files."
Attack vector
A local user can place a malicious `cmd.exe` (e.g., a renamed copy of `Write.exe`) in a directory that contains a `.bat` or `.cmd` file. When the victim launches that batch file (or uses the `START` command with `CMD` as the first token), `CreateProcess()` searches the current working directory for `cmd.exe` first [CWE-426]. If the attacker has placed a Trojan horse `cmd.exe` in that directory, it executes with the victim's privileges, leading to privilege escalation [ref_id=1].
Affected code
The vulnerability lies in the `CreateProcess()` function's handling of `.cmd` and `.bat` files on Windows. When a command line contains a batch script as the first token, `CreateProcess()` searches for `cmd.exe` in the current working directory (CWD) before consulting the system path, allowing a rogue `cmd.exe` placed in the CWD to be executed instead of the legitimate system binary.
What the fix does
Microsoft addressed this vulnerability in MS14-019 (MSKB 2922229). The fix ensures that when `CreateProcess()` encounters a batch script as the first token, it uses the value of the `COMSPEC` environment variable to locate `cmd.exe` rather than searching the current working directory. This prevents a rogue `cmd.exe` placed in the CWD from being executed. The advisory notes that the `START` command's documented behavior — replacing the string "CMD" with the value of `COMSPEC` — was not properly enforced before the patch [ref_id=1].
Preconditions
- inputAttacker must be able to place a file named cmd.exe in a directory that the victim will access (e.g., via a .bat or .cmd file or the START command).
- configVictim must execute a .bat/.cmd file or run START CMD from that directory.
- authAttacker requires local user access to the system.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.