A legacy vulnerability in the Microsoft Visual Basic for Applications engine is being resurfaced by threat actors to achieve unauthorized code execution. This flaw highlights the persistent risk of older codebases in modern enterprise environments.
Tracked as CVE-2012-1854‚ this insecure library loading vulnerability in the @[Microsoft](urn:li:organization:1035) Visual Basic for Applications ❨VBA❩ engine allows an attacker to execute arbitrary code. CISA added this legacy flaw to the KEV catalog on April 13 after observing a resurgence in its use by commodity malware and ransomware groups to establish initial access.
Legacy vulnerabilities in core software engines remain effective because they often fall out of the scope of modern vulnerability scanners. Attackers prioritize these “forgotten” flaws to bypass modern security controls that are tuned to detect more recent zero-day exploitation patterns.
– Ensure all @[Microsoft](urn:li:organization:1035) Office applications are fully patched and that the latest security updates for VBA are applied.
– Implement strict Group Policy rules to disable macros or restrict them to signed code from trusted publishers.
– Utilize EDR to monitor for anomalous child processes spawned by Office applications or the VBA engine.
– Audit the enterprise for any legacy applications that may rely on outdated versions of the VBA engine.
Remediation of legacy flaws is a baseline requirement to close the “compliance gap” that attackers exploit for reliable initial access. #CodeDefence #Microsoft #VBA #PatchManagement
/