ThreatLevelBeta
Planned Fix

CVE-2012-1854

VBA insecure library loading RCE (user-assisted)
Loading...

Summary

Microsoft VBA/VBE6.dll incorrectly resolves external libraries from the current working directory. An attacker can plant a malicious DLL beside a legitimate Office document on an SMB or WebDAV share and trick a user into opening it, causing Office to load and execute the DLL. The impact is arbitrary code execution in the victim's context, with complete system compromise possible if the user is privileged.

Why Planned Fix?

3/6
No authentication required
Internal deployment
User interaction needed
Not exploitable in default configuration
Active exploitation in the wild
High impact vulnerability

Exploitation Details

Type
RCE (Remote Code Execution)
Is exploitable with default configuration?
No
Is authentication needed?
No
PoC / Exploit
No
Impact

Execute arbitrary code in the Office user's context, potentially taking complete control of the system.

RCE (Remote Code Execution)
Exploitation Requirements
  • Affected locale without IMESHARE.DLL
  • Victim opens Office document from malicious SMB/WebDAV share
Exploitation Process

An attacker places a malicious DLL in the same folder as a legitimate Office document on an SMB or WebDAV share. The victim opens the document from that location, causing VBA/VBE6.dll to search the current working directory and load the attacker's DLL. The malicious library then runs inside the Office process and can perform attacker-controlled actions.

Detection Resources
Manual Detection
support.microsoft.com
1
Script Detection
oval.cisecurity.org
1
Scanner Detection
Tenable Nessus
1

Affected Software

Vendor:Microsoft
ProductAffected Versions
Microsoft Office2003 SP3, 2007 SP2 and SP3, 2010 Gold and SP1
Microsoft Visual Basic for Applicationsall supported versions
Microsoft Visual Basic for Applications SDK6.3 through 6.5
Description

Microsoft Office is a desktop productivity suite for creating and editing documents, spreadsheets, presentations, and email. The VBA runtime and SDK provide macro and automation support used by Office and some third-party applications.

Deployment:Typically internal
|
Protocol:SMB/WebDAV
|
Ports:139, 445, 80, 443
Affected ComponentVBE6.dll's external library loading logic in VBA, which resolves DLLs from the current working directory and can load a malicious DLL placed beside an Office document.

VBE6.dll's external library loading logic in VBA, which resolves DLLs from the current working directory and can load a malicious DLL placed beside an Office document.

Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Big
Remediation
Workaround
Disable loading libraries from WebDAV and remote network shares using the KB2264107 workaround tool, or disable the WebClient service and block TCP 139/445.

Disable loading libraries from WebDAV and remote network shares using the KB2264107 workaround tool, or disable the WebClient service and block TCP 139/445.

learn.microsoft.com
Patch
Apply the MS12-046 security updates for Office 2003 SP3, 2007 SP2/SP3, or 2010 Gold/SP1; update VBA runtime/SDK installations that ship VBE6.dll, including third-party copies.

Apply the MS12-046 security updates for Office 2003 SP3, 2007 SP2/SP3, or 2010 Gold/SP1; update VBA runtime/SDK installations that ship VBE6.dll, including third-party copies.

learn.microsoft.com
Update

Not available

Threat Intelligence
EPSS Score1.4%

Probability of exploitation in the next 30 days

EPSS Percentile80%

Worse than 80% of all CVEs

Last updated: Loading...
CISAKEV
CISA KEV
Listed
Loading...
Active Exploitation
Active
microsoft.com
Threat Actors

No known threat actors

Detection Rules1
KQL
DeviceImageLoadEvents | where InitiatingProcessFileName in~ ('WINWORD.EXE','EXCEL.EXE','POWERPNT.EXE','MSACCESS.EXE') and FolderPath startswith '\\' and FileName endswith '.dll'

NVD Data

Published: Loading...Modified: Loading...

Description Summary

Untrusted search path vulnerability in VBE6.dll in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Microsoft Visual Basic for Applications (VBA); and Summit Microsoft Visual Basic for Applications SDK allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a .docx file, aka "Visual Basic for Applications Insecure Library Loading Vulnerability," as exploited in the wild in July 2012.

CVSS Base Score

7.8
High

CVSS Vector (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:CWE-426 Untrusted Search Path
|
NVD:CVE-2012-1854
|
Version From:
|
Version Upto:

Affected Software (CPE) (9)

  • cpe:2.3:a:microsoft:office:2003:sp3:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:office:2007:sp2:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:office:2007:sp3:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:office:2010:*:x86:*:*:*:*:*
  • cpe:2.3:a:microsoft:office:2010:sp1:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:office:2010:sp1:x64:*:*:*:*:*
  • cpe:2.3:a:microsoft:office:2010:sp1:x86:*:*:*:*:*
  • cpe:2.3:a:microsoft:visual_basic_for_applications:*:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:visual_basic_for_applications_sdk:*:*:*:*:*:*:*:*

Sources

7
SourceArticle
learn.microsoft.comMicrosoft Security Bulletin MS12-046
www.microsoft.comAssessing risk for the July 2012 security updates
nvd.nist.govCVE-2012-1854 Detail
learn.microsoft.comMicrosoft Security Advisory 2269637
support.microsoft.comMS10-031 VBA vulnerability
www.tenable.comMS12-046 Nessus Plugin 59909
oval.cisecurity.orgoval:org.mitre.oval:def:14950

Priority History

Planned FixLoading...

Initial analysis