CVE-2014-6287

CRITICALNVD 9.89.8—Trending — 4 sources updated this weekExploited in the wild

9.8

The findMacroMarker function in parserLib.pas in Rejetto HTTP File Server (aks HFS or HttpFileServer) 2.3x before 2.3c allows remote attackers to execute arbitrary programs via a %00 sequence in a search action.

CVSS v3: 9.8
EG Score: 9.8(high)
EPSS: 100.0%
KEV: ⚠ Exploited

Published

October 7, 2014

Last Modified

April 22, 2026

Advisory Details (3)

Auto-updated May 12, 2026

⚠️ Active exploitation confirmed. No patch confirmed yet. Sources: cert.

generic🟡 PoC Available

Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2) - Windows remote Exploit

https://www.exploit-db.com/exploits/39161/

generic

Http File Server Remote Command Exec by mfadzilr · Pull Request #3793 · rapid7/metasploit-framework · GitHub

https://github.com/rapid7/metasploit-framework/pull/3793

cert🔴 Active Exploitation

VU#251276 - Rejetto HTTP File Server (HFS) search feature fails to handle null bytes

http://www.kb.cert.org/vuls/id/251276

Weakness Classification(1)

MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.

CWE-94Improper Control of Generation of Code (Code Injection)

Data Freshness Timeline

(refreshed 20× in last 7d / 20× in last 30d)

Every time one of our enrichment pipelines (NVD, MITRE cvelistV5, EPSS, CISA KEV, GHSA, OSV, vendor advisories) ran against this CVE. Most recent first.

2026-06-06 03:15 UTCEG score recompute
2026-06-06 03:15 UTCGHSA enrichment
2026-06-05 23:10 UTCEG score recompute
2026-06-05 23:10 UTCGHSA enrichment
2026-06-05 22:43 UTCkev_newly_listed
2026-06-05 19:06 UTCEG score recompute
2026-06-05 19:06 UTCGHSA enrichment
2026-06-05 15:01 UTCEG score recompute
2026-06-05 15:01 UTCGHSA enrichment
2026-06-05 10:55 UTCEG score recompute
2026-06-05 10:55 UTCGHSA enrichment
2026-06-05 06:50 UTCEG score recompute
2026-06-05 06:50 UTCGHSA enrichment
2026-06-05 02:45 UTCEG score recompute
2026-06-05 02:45 UTCGHSA enrichment
2026-06-04 22:40 UTCEG score recompute
2026-06-04 22:40 UTCGHSA enrichment
2026-06-04 18:35 UTCEG score recompute
2026-06-04 18:35 UTCGHSA enrichment
2026-06-04 14:30 UTCEG score recompute

Publicly available exploits

(7 references)

Working exploit code is in the public domain (1 Metasploit module) (1 GitHub PoC) (4 Exploit-DB entries). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.

GitHub PoCrandallbanner/Rejetto-HTTP-File-Server-HFS-2.3.x---Remote-Command-Execution
First seen Apr 4, 2023
CVE-2014-6287
Open source ↗
Exploit-DBEDB-49125
First seen Nov 30, 2020
Rejetto HttpFileServer 2.3.x - Remote Command Execution (3)
Open source ↗
Exploit-DBEDB-39161✓ verified
First seen Jan 4, 2016
Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2)
Open source ↗
Exploit-DBEDB-34926✓ verified
First seen Oct 9, 2014
Rejetto HTTP File Server (HFS) - Remote Command Execution (Metasploit)
Open source ↗
Exploit-DBEDB-34668✓ verified
First seen Sep 15, 2014
Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1)
Open source ↗
Metasploitexploit/windows/http/rejetto_hfs_exec✓ verified
First seen Sep 11, 2014
Rejetto HttpFileServer Remote Command Execution
Open source ↗
Nucleihttp/cves/2014/CVE-2014-6287.yaml
First seen Jan 1, 2014
HTTP File Server <2.3c - Remote Command Execution
Open source ↗

Frequently asked(6)

What is CVE-2014-6287?

CVE-2014-6287 is a critical vulnerability published on October 7, 2014. The findMacroMarker function in parserLib.pas in Rejetto HTTP File Server (aks HFS or HttpFileServer) 2.3x before 2.3c allows remote attackers to execute arbitrary programs via a %00 sequence in a search action.

When was CVE-2014-6287 disclosed?

CVE-2014-6287 was first published in the National Vulnerability Database on October 7, 2014, with the most recent update on April 22, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.

Is CVE-2014-6287 actively exploited?

Yes. CISA added CVE-2014-6287 to the Known Exploited Vulnerabilities catalog on March 25, 2022, affecting Rejetto HTTP File Server (HFS). KEV listing indicates confirmed exploitation in the wild; this CVE warrants immediate patching attention.

What is the CVSS score of CVE-2014-6287?

CVE-2014-6287 has a CVSS v3 base score of 9.8 (NVD).

Which products are affected by CVE-2014-6287?

CVE-2014-6287 affects Rejetto HTTP File Server (HFS). The full affected-products list, including version ranges and fixed versions, is shown in the Affected Packages section of this page.

How do I remediate CVE-2014-6287?

Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2014-6287, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2014-6287

Explore →

Is Your Infrastructure Affected by CVE-2014-6287?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.

Start Free Scan →Browse All CVEs

CVE-2014-6287

📅 Published

🔄 Last Modified

📋 Advisory Details (3)