CVE-2012-1854
Published: 10 July 2012
Summary
CVE-2012-1854 is a high-severity Untrusted Search Path (CWE-426) vulnerability in Microsoft Office. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 12.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
This vulnerability is AI-related — categorised as Other AI Platforms.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-3 (Malicious Code Protection).
Deeper analysis
The vulnerability is an untrusted search path issue, also described as insecure library loading, in VBE6.dll. It affects Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1, as well as Microsoft Visual Basic for Applications (VBA) and the Summit Microsoft Visual Basic for Applications SDK. The flaw allows a Trojan horse DLL placed in the current working directory to be loaded instead of the legitimate library.
A local attacker can exploit the weakness by positioning a malicious DLL alongside a document such as a .docx file. When a vulnerable Office application or VBA component opens the file, the DLL is loaded with the privileges of the running process, resulting in arbitrary code execution and privilege escalation. The attack requires user interaction to open the document but needs no additional remote access.
Microsoft security bulletin MS12-046 and US-CERT alert TA12-192A recommend installing the vendor-supplied patches that correct the library search order. The updates are also referenced in OVAL definitions for automated detection.
The vulnerability was exploited in the wild in July 2012.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2012-1864
Vulnerability details
Untrusted search path vulnerability in VBE6.dll in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Microsoft Visual Basic for Applications (VBA); and Summit Microsoft Visual Basic for Applications SDK allows local users to gain privileges…
more
via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a .docx file, aka "Visual Basic for Applications Insecure Library Loading Vulnerability," as exploited in the wild in July 2012.
- CWE(s)
- KEV Date Added
- 13 April 2026
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: trojan
Related Threats
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires installation of the vendor patches that correct the insecure library search order in VBE6.dll.
Malicious-code protection mechanisms can block or detect the Trojan horse DLL placed in the working directory before it is loaded.
Integrity verification of loaded libraries can prevent execution of an unauthorized DLL substituted via the untrusted search path.