CVE-2012-1854
published 2012-07-10CVE-2012-1854: Untrusted search path vulnerability in VBE6.dll in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Microsoft Visual Basic for Applications…
PriorityP274high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-04-27
Exploited in the wild
EPSS
21.03%
97.3th percentile
Untrusted search path vulnerability in VBE6.dll in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Microsoft Visual Basic for Applications (VBA); and Summit Microsoft Visual Basic for Applications SDK allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a .docx file, aka "Visual Basic for Applications Insecure Library Loading Vulnerability," as exploited in the wild in July 2012.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | office | — | — |
| microsoft | office | — | — |
| microsoft | office | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for DLL search-order hijacking via a Trojan horse DLL placed in the current working directory alongside a .docx file, targeting VBE6.dll loading by Microsoft Office / VBA processes. ↗
- →This vulnerability was actively exploited in the wild in July 2012; prioritize detection on endpoints with Microsoft Office 2003 SP3, 2007 SP2/SP3, and 2010 Gold/SP1, as well as standalone VBA SDK installations. ↗
- →Alert on unexpected DLL loads from user-writable or document-directory paths by Office processes (e.g., WINWORD.EXE, EXCEL.EXE) — particularly any DLL loaded from the same directory as an opened .docx file that is not a known-good system or Office DLL. ↗
- ·The insecure library loading occurs because VBE6.dll (and the VBA runtime) resolve DLL dependencies from the current working directory before trusted system paths; ensure AppLocker or Software Restriction Policies block DLL execution from user-writable directories. ↗
- ·Multiple Microsoft products share the vulnerable component: Microsoft Office 2003 SP3, 2007 SP2 and SP3, 2010 Gold and SP1, standalone VBA, and the Summit Microsoft Visual Basic for Applications SDK — all must be patched per MS12-046. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.9MEDIUMAV:L/AC:M/Au:N/C:C/I:C/A:C
vulncheck6.9MEDIUM
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft Visual Basic for Applications Insecure Library Loading Vulnerability
cisa·2026-04-13·CVSS 7.8
CVE-2012-1854 [HIGH] CWE-426 Microsoft Visual Basic for Applications Insecure Library Loading Vulnerability
Vulnerability: Microsoft Visual Basic for Applications Insecure Library Loading Vulnerability
Affected: Microsoft Visual Basic for Applications (VBA)
Microsoft Visual Basic for Applications (VBA) contains an insecure library loading vulnerability that could allow for remote code execution.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-046 ; https://nvd.nist.gov/vuln/detail/CVE-2012-1854
Remediation Due Date: 2026-04-27
VulDB
Microsoft Office 2003/2007/2010 libraries untrusted search path (MS12-046 / Nessus ID 59909)
vuldb·2026-04-13·CVSS 7.8
CVE-2012-1854 [HIGH] Microsoft Office 2003/2007/2010 libraries untrusted search path (MS12-046 / Nessus ID 59909)
A vulnerability was found in Microsoft Office 2003/2007/2010. It has been declared as critical. Impacted is an unknown function in the library libraries. Such manipulation leads to untrusted search path.
This vulnerability is listed as CVE-2012-1854. The attack may be performed from remote. In addition, an exploit is available.
Applying a patch is advised to resolve this issue.
GHSA
GHSA-77fm-4w36-vpp3: Untrusted search path vulnerability in VBE6
ghsa_unreviewed·2022-05-14
CVE-2012-1854 [MEDIUM] GHSA-77fm-4w36-vpp3: Untrusted search path vulnerability in VBE6
Untrusted search path vulnerability in VBE6.dll in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Microsoft Visual Basic for Applications (VBA); and Summit Microsoft Visual Basic for Applications SDK allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a .docx file, aka "Visual Basic for Applications Insecure Library Loading Vulnerability," as exploited in the wild in July 2012.
VulnCheck
Microsoft Office Untrusted Search Path
vulncheck·2012·CVSS 6.9
CVE-2012-1854 [MEDIUM] Microsoft Office Untrusted Search Path
Microsoft Office Untrusted Search Path
Untrusted search path vulnerability in VBE6.dll in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Microsoft Visual Basic for Applications (VBA); and Summit Microsoft Visual Basic for Applications SDK allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a .docx file, aka "Visual Basic for Applications Insecure Library Loading Vulnerability," as exploited in the wild in July 2012.
Affected: Microsoft Office
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2012-1854; https://lea
No detection rules found.
No public exploits indexed.
Hackernews
CISA Adds 6 Known Exploited Flaws in Fortinet, Microsoft, and Adobe Software
blogs_hackernews·2026-04-14·CVSS 7.8
[HIGH] CISA Adds 6 Known Exploited Flaws in Fortinet, Microsoft, and Adobe Software
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## CISA Adds 6 Known Exploited Flaws in Fortinet, Microsoft, and Adobe Software
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added half a dozen security flaws to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation.
The list of vulnerabilities is as follows -
CVE-2026-21643 (CVSS score: 9.1) - An SQL injection vulnerability in Fortinet FortiClient EMS that could allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.
CVE-2020-9715 (CVSS score: 7.8) - A use-after-free vulnerability in Adobe Acrobat Re
Zscaler
Zscaler Protects against Microsoft's Patch Cycle | Round 7
blogs_zscaler
Zscaler Protects against Microsoft's Patch Cycle | Round 7
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
http://www.us-cert.gov/cas/techalerts/TA12-192A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-046https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14950http://www.us-cert.gov/cas/techalerts/TA12-192A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-046https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14950https://learn.microsoft.com/en-us/security-updates/SecurityBulletins/2012/ms12-046https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2012-1854
2012-07-10
Published
2026-04-13
Added to CISA KEV
Exploited in the wild