cbcvebase.
CVE-2012-1661
published 2012-07-12

CVE-2012-1661: ESRI ArcMap 9 and ArcGIS 10.0.2.3200 and earlier does not properly prompt users before executing embedded VBA macros, which allows user-assisted remote…

PriorityP262critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
23.83%
97.5th percentile
ESRI ArcMap 9 and ArcGIS 10.0.2.3200 and earlier does not properly prompt users before executing embedded VBA macros, which allows user-assisted remote attackers to execute arbitrary VBA code via a crafted map (.mxd) file.

Affected

1 ranges
VendorProductVersion rangeFixed in
esriarcmap<= 10.0.2.3200

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://www.cs.umb.edu/~joecohen/exploits/CVE-2012-1661.htm
urlhttp://www.cs.umb.edu/~joecohen/exploits/CVE-2012-1661
filename.mxd
commandShell "cmd /c start http://www.cs.umb.edu/~joecohen/exploits/CVE-2012-1661.htm", vbNormalFocus
  • Detect execution of VBA macro event handler MxDocument_OpenDocument in ArcMap/ArcGIS .mxd files, which fires automatically on document open without user prompt — the exploit entry point.
  • Flag .mxd files received via email or downloaded from the internet for VBA macro content inspection, as these files are not filtered by email systems and can carry embedded malicious macros.
  • Monitor for child processes (e.g., cmd.exe, calc.exe, or browser processes) spawned by ArcMap or ArcGIS Desktop processes, which would indicate Shell() execution from an embedded VBA macro.
  • ·Affected versions include ArcMap 9, ArcGIS Desktop 10.0 (build 10.0.1.2800, SP1) and ArcGIS Desktop 10.0 (build 10.0.2.3200, SP2) and earlier; additional versions may also be affected.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.