VYPR
← All advisories
Unrated severityNVD Advisory· Published May 14, 2014· Updated May 6, 2026

CVE-2014-1807

CVE-2014-1807

Description

The ShellExecute API in Windows Shell in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly implement file associations, which allows local users to gain privileges via a crafted application, as exploited in the wild in May 2014, aka "Windows Shell File Association Vulnerability."

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Windows ShellExecute API flaw lets local users gain privileges via crafted app; exploited in the wild in May 2014.

Vulnerability

The ShellExecute API in Windows Shell improperly handles file associations. This vulnerability, identified as CVE-2014-1807, affects Windows Server 2003 SP2, Vista SP2, Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, 8.1, Server 2012 Gold and R2, and Windows RT Gold and 8.1 [1]. An attacker can exploit this by running a specially crafted application that calls ShellExecute under certain circumstances.

Exploitation

An attacker must have valid logon credentials and be able to log on locally to the target system [1]. The attacker then runs a specially crafted application that leverages the flawed file association handling in ShellExecute to trigger the vulnerability.

Impact

Successful exploitation results in elevation of privilege, allowing the attacker to gain higher privileges on the system. This vulnerability was exploited in the wild in May 2014 [1].

Mitigation

Microsoft released security update MS14-027 (Knowledge Base Article 2962488) on May 13, 2014 to address this vulnerability [1]. Customers with automatic updating enabled will have the update applied automatically. For those without, manual installation of the update is recommended.

References
  1. Microsoft Security Bulletin MS14-027 - Important

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

13
  • Microsoft/Windows 7
    cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*
  • Microsoft/Windows 8
    cpe:2.3:o:microsoft:windows_8:-:*:*:*:*:*:*:*
  • Microsoft/Windows 8.1
    cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*
  • Microsoft/Windows Rt
    cpe:2.3:o:microsoft:windows_rt:-:*:*:*:*:*:*:*
  • Microsoft/Windows Rt 8.1
    cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*
  • Microsoft/Windows Server 2003
    cpe:2.3:o:microsoft:windows_server_2003:-:sp2:*:*:*:*:*:*
  • Microsoft/Windows Server 20083 versions
    cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*+ 2 more
    • cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*
    • cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
    • cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*
  • Microsoft/Windows Server 20122 versions
    cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
  • Microsoft/Windows Vista
    cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*
  • Microsoft/Windows Shellllm-fuzzy
    Range: Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.