Cyber Resilience

CVE-2012-1854

HighCISA KEVActive ExploitationEUVD ExploitedLPE

Published: 10 July 2012

Published
10 July 2012
Modified
22 April 2026
KEV Added
13 April 2026
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0314 87.2th percentile
Risk Priority 37 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2012-1854 is a high-severity Untrusted Search Path (CWE-426) vulnerability in Microsoft Office. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 12.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

This vulnerability is AI-related — categorised as Other AI Platforms.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-3 (Malicious Code Protection).

Deeper analysis

The vulnerability is an untrusted search path issue, also described as insecure library loading, in VBE6.dll. It affects Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1, as well as Microsoft Visual Basic for Applications (VBA) and the Summit Microsoft Visual Basic for Applications SDK. The flaw allows a Trojan horse DLL placed in the current working directory to be loaded instead of the legitimate library.

A local attacker can exploit the weakness by positioning a malicious DLL alongside a document such as a .docx file. When a vulnerable Office application or VBA component opens the file, the DLL is loaded with the privileges of the running process, resulting in arbitrary code execution and privilege escalation. The attack requires user interaction to open the document but needs no additional remote access.

Microsoft security bulletin MS12-046 and US-CERT alert TA12-192A recommend installing the vendor-supplied patches that correct the library search order. The updates are also referenced in OVAL definitions for automated detection.

The vulnerability was exploited in the wild in July 2012.

EU & UK References

Vulnerability details

Untrusted search path vulnerability in VBE6.dll in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Microsoft Visual Basic for Applications (VBA); and Summit Microsoft Visual Basic for Applications SDK allows local users to gain privileges…

more

via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a .docx file, aka "Visual Basic for Applications Insecure Library Loading Vulnerability," as exploited in the wild in July 2012.

CWE(s)
KEV Date Added
13 April 2026

AI Security AnalysisAI

AI Category
Other AI Platforms
Risk Domain
N/A
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: trojan

Related Threats

Affected Assets

microsoft
office
2003, 2007, 2010
microsoft
visual basic for applications
all versions
microsoft
visual basic for applications sdk
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires installation of the vendor patches that correct the insecure library search order in VBE6.dll.

preventdetect

Malicious-code protection mechanisms can block or detect the Trojan horse DLL placed in the working directory before it is loaded.

prevent

Integrity verification of loaded libraries can prevent execution of an unauthorized DLL substituted via the untrusted search path.

References