cbcvebase.
CVE-2012-1854
published 2012-07-10

CVE-2012-1854: Untrusted search path vulnerability in VBE6.dll in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Microsoft Visual Basic for Applications…

PriorityP274high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-04-27
Exploited in the wild
EPSS
21.03%
97.3th percentile
Untrusted search path vulnerability in VBE6.dll in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Microsoft Visual Basic for Applications (VBA); and Summit Microsoft Visual Basic for Applications SDK allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a .docx file, aka "Visual Basic for Applications Insecure Library Loading Vulnerability," as exploited in the wild in July 2012.

Affected

3 ranges
VendorProductVersion rangeFixed in
microsoftoffice
microsoftoffice
microsoftoffice

Detection & IOCsextracted from sources · hover to see the quote

filenameVBE6.dll
  • Monitor for DLL search-order hijacking via a Trojan horse DLL placed in the current working directory alongside a .docx file, targeting VBE6.dll loading by Microsoft Office / VBA processes.
  • This vulnerability was actively exploited in the wild in July 2012; prioritize detection on endpoints with Microsoft Office 2003 SP3, 2007 SP2/SP3, and 2010 Gold/SP1, as well as standalone VBA SDK installations.
  • Alert on unexpected DLL loads from user-writable or document-directory paths by Office processes (e.g., WINWORD.EXE, EXCEL.EXE) — particularly any DLL loaded from the same directory as an opened .docx file that is not a known-good system or Office DLL.
  • ·The insecure library loading occurs because VBE6.dll (and the VBA runtime) resolve DLL dependencies from the current working directory before trusted system paths; ensure AppLocker or Software Restriction Policies block DLL execution from user-writable directories.
  • ·Multiple Microsoft products share the vulnerable component: Microsoft Office 2003 SP3, 2007 SP2 and SP3, 2010 Gold and SP1, standalone VBA, and the Summit Microsoft Visual Basic for Applications SDK — all must be patched per MS12-046.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.9MEDIUMAV:L/AC:M/Au:N/C:C/I:C/A:C
vulncheck6.9MEDIUM
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.