Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
HighCISA KEVExploited in the wildPublic exploit

Visual Basic for Applications Insecure Library Loading Vulnerability

IdentifiersCVE-2012-1854CWE-426· Untrusted Search Path

CVE-2012-1854 is an insecure library loading / untrusted search path vulnerability in Microsoft Visual Basic for Applications (VBA), specifically involving VBE6.dll as used by Microsoft Office 2003 SP3, Office 2007 SP2/SP3, Office 2010 Gold/SP1, VBA, and Summit Microsoft Visual Basic for Applications SDK. VBA incorrectly restricts the path used for loading external libraries, allowing a malicious DLL placed in the current working directory or other attacker-controlled location to be loaded instead of the intended library. Microsoft described exploitation as possible when a user opens a legitimate Microsoft Office file from the same directory as a specially crafted DLL, including scenarios involving local directories, network shares, UNC paths, or WebDAV locations. This issue is also referred to as the "Visual Basic for Applications Insecure Library Loading Vulnerability." Microsoft reported public disclosure and limited, targeted exploitation in the wild at the time of its 2012 advisory.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can result in remote code execution in the security context of the logged-on user. An attacker may be able to install programs, view, modify, or delete data, and create new accounts with full user rights. If the victim is running with administrative privileges, the attacker could gain complete control of the affected system. In practical terms, the flaw enables execution of attacker-supplied code through DLL hijacking when a victim opens a legitimate Office document from an attacker-prepared location.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure to attacker-controlled library search paths. Microsoft-provided workarounds in the supplied content include disabling library loading from WebDAV and remote network shares, disabling the WebClient service to reduce WebDAV-based attack paths, and blocking TCP ports 139 and 445 to limit SMB/UNC-based delivery. Operationally, users should avoid opening Office documents from untrusted directories, network shares, or WebDAV locations, and should operate without administrative privileges where possible to reduce post-exploitation impact.

Remediation

Patch, then assume compromise.

Apply Microsoft's security updates for MS12-046 and ensure affected Office/VBA components are fully updated. The content indicates Microsoft released an initial fix in July 2012 and a subsequent November 2012 rerelease to fully address the issue, including replacement of the Office 2003 SP3 update KB2598361 with KB2687626. For Office 2010, Microsoft stated both KB2598243 and KB2553447 are required for protection due to the componentized servicing model. Organizations using third-party applications that redistribute their own copy of VBE6.dll should obtain and deploy an updated VBA SDK/runtime from the vendor or Summit Software, because privately deployed copies may not be updated by Office patching alone.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Microsoft CorporationOfficeapplication
Microsoft CorporationVisual Basic For Applicationsapplication
Microsoft CorporationVisual Basic For Applications Sdkapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

18 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

18 SOURCESView more in app
scworldNews
Apr 14, 2026
Active exploitation of old Microsoft bugs prompt CISA catalog inclusion | brief | SC Media

An insecure library loading vulnerability in Microsoft Visual Basic for Applications that could be weaponized for remote code execution.

Read more
security affairsNews
Apr 14, 2026
U.S. CISA adds Adobe, Fortinet, Microsoft Windows, Microsoft Exchange Server flaws to its Known Exploited Vulnerabilities catalog

An insecure library loading / DLL hijacking vulnerability affecting Microsoft Office VBA components, specifically VBE6.dll.

Read more
the hacker newsNews
Apr 14, 2026
CISA Adds 6 Known Exploited Flaws in Fortinet, Microsoft, and Adobe Software

An insecure library loading vulnerability in Microsoft Visual Basic for Applications (VBA) that could result in remote code execution.

Read more
cyberthroneNews
Apr 14, 2026
CISA Adds Seven Vulnerabilities to KEV Catalog - April 13, 2026 - TheCyberThrone

An insecure library loading vulnerability in Microsoft Visual Basic for Applications that could allow remote code execution and is now in KEV due to active exploitation.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity10

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2012-1854
NVD
nvd.nist.gov/vuln/detail/CVE-2012-1854
MITRE CWE · CWE-426
Untrusted Search Path
Vendor Advisory
docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-046
Vendor Advisory
learn.microsoft.com/en-us/security-updates/SecurityBulletins/2012/ms12-046
US Government Resource
us-cert.gov/cas/techalerts/TA12-192A.html
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2012-1854