What happened

CISA added CVE-2012-1854 — an insecure library loading issue in Microsoft Visual Basic for Applications (VBA) — to the Known Exploited Vulnerabilities catalog on 2026-04-13, which denotes verified exploitation in the wild CISA KEV. Federal civilian agencies are ordered to remediate by 2026-04-27 or discontinue use if mitigations are unavailable, per the KEV entry’s required action guidance CISA KEV. The flaw is tracked as CWE-426 (Untrusted Search Path), commonly known as insecure library or DLL search order loading NVD CVE-2012-1854.

NVD classifies CVE-2012-1854 as enabling arbitrary code execution when a vulnerable component loads a library from a directory controlled by an attacker NVD CVE-2012-1854. The affected product is Microsoft Visual Basic for Applications (VBA), the runtime embedded in Office-family applications for macro execution MITRE CVE record. CISA lists ransomware campaign usage as unknown for this CVE in the current KEV entry CISA KEV.

Why it matters

When VBA loads a dependent module from an untrusted location in its search path, an attacker can get code execution in the victim’s session by planting a crafted library in a higher-precedence directory NVD CVE-2012-1854. Because VBA is widely invoked by Office documents, the exploit surface often aligns with common user actions like opening files from shared or attacker-controlled folders, which lowers the barrier to initial access NVD CVE-2012-1854. Being on KEV means exploitation has been observed, so defenders should assume opportunistic and targeted use against unpatched systems CISA KEV.

This is a classic DLL search order hijack (CWE-426) scenario, which historically yields reliable execution without needing macro enablement or exploit chains, provided the victim resolves the library from an attacker-chosen path NVD CVE-2012-1854. Long-tail vulnerabilities like CVE-2012-1854 persist because older runtimes and embedded components remain in enterprise workflows, creating durable pockets of exposure that attackers reuse when modern controls block newer techniques MITRE CVE record.

Technical detail

CVE-2012-1854 arises from an untrusted search path in the VBA runtime, where a library is loaded from the current working directory or another directory in the search order rather than a trusted, absolute path NVD CVE-2012-1854. The weakness is cataloged under CWE-426, indicating the product searches for resources (e.g., DLLs) in directories that an attacker can influence NVD CVE-2012-1854. When the vulnerable code path is triggered, the runtime resolves the module name to the malicious library first, enabling arbitrary code execution under the user context MITRE CVE record.

Practical exploitation typically involves the attacker placing a spoofed library with the expected filename alongside a document or in a directory that will be searched before system locations, then inducing the victim to open the file or otherwise invoke the vulnerable load sequence NVD CVE-2012-1854. Once the library is loaded, process integrity is compromised, and subsequent actions can include payload staging, persistence, or lateral discovery, depending on attacker objectives NVD CVE-2012-1854. The scope is constrained to VBA-containing workflows and any host processes that rely on the vulnerable VBA runtime to load libraries from untrusted paths MITRE CVE record.

Vendor fixes were released under Microsoft’s 2012 security guidance for this issue (referenced by NVD as MS12-046), and applying the vendor’s update or mitigations remains the authoritative remediation path NVD CVE-2012-1854. CISA’s KEV directive requires organizations to follow vendor instructions or discontinue use if mitigations are unavailable, with the listed remediation due date for federal agencies CISA KEV.

Defense

• Patch and verify. Apply the vendor’s update/mitigations for CVE-2012-1854 as referenced in NVD (MS12-046) and confirm VBA runtimes are updated in all relevant host applications NVD CVE-2012-1854. CISA mandates remediation per the KEV entry’s required action and timetable, including discontinuation if fixes cannot be applied CISA KEV.
• Reduce search-path risk. Favor fully qualified library paths in custom add-ins and templates to avoid implicit resolution through untrusted directories, consistent with mitigating CWE-426 class issues NVD CVE-2012-1854. Audit build and deployment scripts for any reliance on relative paths that could be influenced post-deployment MITRE CVE record.
• Monitor for suspicious module loads. Alert when Office/VBA-hosted processes load libraries from user-writable locations or non-standard directories associated with working directories or shares, which matches the CVE’s untrusted-path load mechanism NVD CVE-2012-1854. Correlate process ancestry and file origin to surface drive-by document triggers linked to unexpected DLL resolutions MITRE CVE record.
• Control execution. Where patching lags, isolate vulnerable hosts and restrict document workflows that resolve resources from shared or removable media paths aligned with the CVE’s search-order weakness NVD CVE-2012-1854. Apply least privilege and application controls to limit post-load impact if a hijack occurs CISA KEV.

Lyrie Verdict

Old doesn’t mean obsolete to attackers — DLL search order bugs like CVE-2012-1854 are low-friction execution paths that evade slow, human-in-the-loop triage when the library load happens in milliseconds at document open NVD CVE-2012-1854. Lyrie’s autonomous detection stack watches module loads at wire speed and flags Office/VBA processes resolving DLLs from untrusted or user-writable paths, then enforces a deny or isolate action before code in the hijacked module executes MITRE CVE record. With KEV confirmation of active exploitation, we elevate VBA library-load anomalies to blocking priority and auto-remediate by killing the load sequence and quarantining the origin document or share for forensic capture — no waiting for analyst clicks CISA KEV.