A 2012-era untrusted search path flaw in Microsoft's Visual Basic for Applications was added to CISA's Known Exploited Vulnerabilities catalog on 2026-04-13, giving federal agencies a two-week window to remediate a bug originally exploited in the wild in July 2012.
What Is It
CVE-2012-1854 is an untrusted search path vulnerability (CWE-426) in VBE6.dll, the core library behind Microsoft's Visual Basic for Applications runtime. When a user opens a file such as a .docx from a directory containing a malicious DLL, VBA loads the attacker-controlled library from the current working directory instead of a trusted system path. The result is code execution in the context of the user who opened the document.
NVD scores it CVSS 3.1 7.8 (HIGH) with vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, local attack vector, user interaction required, full confidentiality/integrity/availability impact.
Why It Matters
The NVD record explicitly notes this was "exploited in the wild in July 2012," and CISA's 2026-04-13 KEV addition signals continued active exploitation today. The attack pattern, drop a Trojan DLL alongside an Office document and wait for a user to open it, remains a viable initial-access and privilege-escalation technique anywhere unpatched Office or standalone VBA components are still deployed. KEV inclusion does not specify ransomware use ("Known Ransomware Campaign Use: Unknown").
What's Vulnerable
Per the NVD CPE list:
- Microsoft Office 2003 SP3
- Microsoft Office 2007 SP2 and SP3
- Microsoft Office 2010 Gold and SP1 (x86 and x64)
- Microsoft Visual Basic for Applications (VBA)
- Summit Microsoft Visual Basic for Applications SDK
The vulnerable component across all of these is VBE6.dll.
Patch Status
Microsoft addressed this issue in security bulletin MS12-046, originally published July 2012. CISA's required action for federal agencies is to "apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable." The KEV due date was 2026-04-27.
Organizations still running any of the affected Office or VBA SDK versions should confirm MS12-046 is applied, or retire the affected software.