[KEV] CVE-2012-1854 -- CVSS 0.0 Vulnerability Briefing

[KEV] CVE-2012-1854 | CVSS 0.0 (Low) | Exploit: Operational

What Is It

CVE-2012-1854 is an insecure library loading vulnerability in Microsoft Visual Basic for Applications (VBA) that can allow an attacker to achieve remote code execution on affected systems.

Technical Detail

The flaw stems from VBA loading dynamic-link libraries (DLLs) in an unsafe manner, allowing an attacker to place a malicious DLL in a location that the application searches before the legitimate library path. An attacker who can place a crafted DLL in a directory accessible during VBA execution, typically by convincing a user to open a file from a network share or a directory containing the malicious library, can trigger the vulnerable load sequence. Successful exploitation results in arbitrary code execution in the context of the user running the VBA-enabled application, which may include Microsoft Office components that embed VBA.

Exploitation Status

The exploit maturity for this vulnerability is rated Operational, meaning functional exploit code exists and has been demonstrated in real-world attack conditions. CISA has confirmed active exploitation in the wild, adding this CVE to the Known Exploited Vulnerabilities catalog on April 13, 2026. Despite the vulnerability's age, its continued exploitation indicates adversaries are actively leveraging it against unpatched targets.

Who Is Targeting This

No specific threat actor attribution is confirmed at this time. The absence of attribution data does not reduce the risk given CISA's confirmation of active exploitation. Organizations should treat this as a broadly exploited vulnerability rather than a targeted campaign.

What To Do

CISA's Known Exploited Vulnerabilities catalog listing requires federal agencies to apply patches or mitigations by the deadline associated with the April 13, 2026 addition. All organizations should prioritize applying Microsoft's security update addressing this vulnerability immediately. Microsoft released patches for this issue as part of its July 2012 Patch Tuesday cycle, so any system still unpatched represents a significant exposure. Defenders should audit environments for unpatched VBA-enabled Office installations, restrict users from opening Office documents from untrusted network locations, and monitor for unexpected DLL load events originating from non-standard paths in Office or VBA processes. Application of the principle of least privilege for user accounts will limit the impact of any successful exploitation.