CVE-2012-1854: VBA Insecure Library Loading Vulnerability
Summary
CISA has cataloged CVE-2012-1854, an untrusted search path vulnerability in VBE6.dll affecting Microsoft Office 2003 SP3, 2007 SP2/SP3, and 2010 Gold/SP1; Microsoft Visual Basic for Applications (VBA); and Summit Microsoft Visual Basic for Applications SDK. The vulnerability allows local users to gain privileges via a Trojan horse DLL in the current working directory. CISA confirms this vulnerability was exploited in the wild in July 2012. CVSS 3.1 score is 7.8 (HIGH) with exploitation status marked as 'active' in the KEV catalog.
What changed
CISA has added CVE-2012-1854 to its Known Exploited Vulnerabilities catalog, documenting an untrusted search path vulnerability (CWE-426) in Microsoft Visual Basic for Applications and affected Office versions. The vulnerability in VBE6.dll allows local privilege escalation via a Trojan horse DLL placed in the current working directory, as demonstrated with .docx files. This is a long-standing vulnerability from 2012 that was exploited in the wild and is now formally cataloged by CISA. The SSVC classification shows active exploitation with no automatable spread but total technical impact.
Organizations running affected Microsoft Office versions (2003 SP3, 2007 SP2/SP3, 2010 Gold/SP1) or using Microsoft VBA should prioritize applying the MS12-046 security update. While no specific compliance deadline is stated, federal agencies are required to remediate KEV vulnerabilities under Binding Operational Directive 22-01. This catalog entry serves as a prioritization signal for security teams to ensure patching of legacy Microsoft Office installations.
What to do next
- Apply Microsoft Security Bulletin MS12-046 patch
- Review systems running Microsoft Office 2003-2010 for vulnerable VBE6.dll
- Monitor CISA KEV catalog for updates
Archived snapshot
Apr 14, 2026GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.
Required CVE Record Information
CNA: Microsoft Corporation
Description
Untrusted search path vulnerability in VBE6.dll in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Microsoft Visual Basic for Applications (VBA); and Summit Microsoft Visual Basic for Applications SDK allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a .docx file, aka "Visual Basic for Applications Insecure Library Loading Vulnerability," as exploited in the wild in July 2012.
Product Status
Learn more Information not provided
References 3 Total
- us-cert.gov: TA12-192A third-party-advisory
- oval.cisecurity.org: oval:org.mitre.oval:def:14950 vdb-entry signature
- docs.microsoft.com: MS12-046 vendor-advisory
CVE Program
Updated:
2024-08-06
This container includes required additional information provided by the CVE Program for this vulnerability.
References 3 Total
- us-cert.gov: TA12-192A third-party-advisory x_transferred
- oval.cisecurity.org: oval:org.mitre.oval:def:14950 vdb-entry signature x_transferred
- docs.microsoft.com: MS12-046 vendor-advisory x_transferred
Authorized Data Publishers
CISA-ADP
Updated:
2026-04-14
SSVC and KEV, plus CVSS and CWE if not provided by the CNA.
SSVC 1 Total
Learn more
| Exploitation | Automatable | Technical Impact | Version | Date Accessed |
| --- | --- | --- | --- | --- |
| active | no | total | 2.0.3 | 2026-04-13 |
KEV 1 Total
Learn more
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2012-1854 (2026-04-13)
CWE 1 Total
Learn more
- CWE-426: CWE-426 Untrusted Search Path
CVSS 1 Total
Learn more
| Score | Severity | Version | Vector String |
| --- | --- | --- | --- |
| 7.8 | HIGH | 3.1 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Related changes
Get daily alerts for CISA Known Exploited Vulnerabilities (KEV)
Daily digest delivered to your inbox.
Free. Unsubscribe anytime.
Source
About this page
Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission
Source document text, dates, docket IDs, and authority are extracted directly from CISA.
The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.
Classification
Who this affects
Taxonomy
Browse Categories
Get alerts for this source
We'll email you when CISA Known Exploited Vulnerabilities (KEV) publishes new changes.
Subscribed!
Optional. Filters your digest to exactly the updates that matter to you.