- CISA adds 18-year-old Excel vulnerability (CVE‑2009‑0238) to KEV catalog
- Vulnerability Allows RCE via Malicious Excel Files, Patched Long Ago
- Obsolete systems still under threat; agencies ordered to update patch by April 28
Incredibly, there are still systems vulnerable to the 18-year-old Microsoft Excel vulnerabilities and, unsurprisingly, cybercriminals are taking advantage of this fact.
The US Cybersecurity and Infrastructure Security Agency (CISA) recently updated its Known Exploited Vulnerabilities (KEV) catalog, a list of flaws confirmed to be exploited in the wild, to add CVE-2009-0238, a bug in Microsoft Excel first discovered in 2009.
According to the National Vulnerability Database (NVD), the bug allows malicious actors to execute arbitrary code (RCE) via a crafted Excel document “which triggers an attempt to access an invalid object.”
Article continues below
One week to patch
This vulnerability, with a severity score of 8.8/10 (high), was first observed carrying the Trojan.Mdropper.AC malware.
This affects Microsoft Office Excel 2000 SP3, 2002 SP3, 2003 SP3, and 2007 SP1; Excel 2003 Gold and SP3 viewer; Excel Viewer; Compatibility pack for Word, Excel and PowerPoint 2007 SP1 file formats; and Excel in Microsoft Office 2004 and 2008 for Mac. It was fixed literally forever ago.
However, it seems that there are still systems using this very outdated and therefore vulnerable software. CISA added the bug to KEV on April 14, 2026 and gave FCEB agencies one week to fix it (April 28).
Other than that, we don’t know much about who is exploiting the bug and for what purposes. CISA could not say whether or not the flaw was used in ransomware infections. We can assume that the attacks include a phishing email containing a weaponized Excel document.
Additionally, if we assume that the versions not on the list are safe, that would mean that anyone running them is at no risk:
Excel 2007 (SP2 and later)
Excel 2010
Excel 2013
Excel 2016
Excel 2019
Excel 2021
Excel for Microsoft 365 (all versions)
Excel for Mac (versions newer than 2008).
Via The register
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
