CISA Warns of Exploitation of 17-Year-Old Excel Vulnerability

Severity: High (Score: 72.8)

Sources: learn.microsoft.com, Heise.De, Theregister

Summary

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding active exploitation of CVE-2009-0238, a critical remote code execution vulnerability in Microsoft Excel, first identified in 2009. This vulnerability allows attackers to execute malicious code by convincing users to open specially crafted Excel documents. CISA added this vulnerability to its Known Exploited Vulnerability (KEV) catalog on April 14, 2026, setting a two-week deadline for federal agencies to apply patches. Alongside this, a newer vulnerability in SharePoint, CVE-2026-32201, also received attention due to its exploitation as a zero-day. The Excel vulnerability affects multiple versions, including Excel 2000 SP3, 2002 SP3, 2003 SP3, and 2007 SP1, as well as various Office viewers. Attackers previously exploited this flaw using the Trojan.Mdropper.AC. The current situation highlights the risks of outdated software still in use. IT managers are urged to ensure their systems are updated to mitigate these threats. Key Points: • CISA warns of active exploitation of the 17-year-old Excel vulnerability CVE-2009-0238. • The vulnerability allows remote code execution through malicious Excel documents. • CISA has set a two-week deadline for federal agencies to patch the vulnerability.

Key Entities

• Malware (attack_type)
• Phishing (attack_type)
• Zero-day Exploit (attack_type)
• CVE-2009-0238 (cve)
• CVE-2026-32201 (cve)
• trojan.mdropper.ac (domain)
• Mdropper (malware)
• T1059.005 - Visual Basic (mitre_attack)
• T1203 - Exploitation for Client Execution (mitre_attack)
• T1566 - Phishing (mitre_attack)
• Microsoft Excel (platform)
• Microsoft Office (platform)
• Microsoft SharePoint (platform)
• SharePoint Server (platform)
• Visual Basic For Applications (tool)