Full Report
Vuln old enough to drive lands on CISA's exploited list While Microsoft was rolling out its bumper Patch Tuesday updates this week, US cybersecurity agency CISA was readying an alert about a 17-year-old critical Excel flaw now under exploit.…
Analysis Summary
# Vulnerability: Critical Remote Code Execution in Legacy Microsoft Excel
## CVE Details
- **CVE ID:** CVE-2009-0238
- **CVSS Score:** 9.3 (Critical)
- **CWE:** CWE-94 (Improper Control of Generation of Code - Remote Code Execution)
## Affected Systems
- **Products:** Microsoft Office Excel, Excel Viewer, Compatibility Pack, and Office for Mac.
- **Versions:**
- Excel 2000 SP3, 2002 SP3, 2003 SP3, 2007 SP1
- Excel Viewer 2003 (Gold and SP1)
- Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1
- Microsoft Office 2004 and 2008 for Mac
- **Configurations:** Systems where users operate with administrative privileges are at higher risk.
## Vulnerability Description
CVE-2009-0238 is a remote code execution (RCE) vulnerability stemming from how Excel handles malformed objects within a spreadsheet. When a victim opens a specially crafted Excel file, the "malformed object" triggers a memory corruption or logic flaw that allows the execution of arbitrary code in the context of the current user. Historically, this bug was used as a delivery mechanism for `Trojan.Mdropper.AC`.
## Exploitation
- **Status:** Exploited in the wild (Added to CISA KEV Catalog in April 2026).
- **Complexity:** Low (Requires convincing a user to open a file).
- **Attack Vector:** Network (Social Engineering/Email).
## Impact
- **Confidentiality:** Total (Attacker can view all data and install programs).
- **Integrity:** Total (Attacker can change or delete data).
- **Availability:** Total (Attacker can take complete control of the system).
## Remediation
### Patches
- **Microsoft Security Bulletin MS09-009:** This legacy patch contains the fixes for all affected Windows-based Office products.
- **Modern Versions:** Upgrade to current, supported versions of Microsoft 365 or Office 2021, which are not susceptible to this ancient flaw.
- **FCEB Agencies:** Must comply with CISA's directive to patch or decommission affected instances within the two-week deadline (by late April 2026).
### Workarounds
- **Least Privilege:** Ensure users do not run with administrative rights to limit the scope of a successful compromise.
- **File Blocking:** Use File Block settings in Office Trust Center to prevent the opening of legacy Excel file formats (e.g., .xls files from Excel 2003 and older).
## Detection
- **Indicators of Compromise:** Presence of `Trojan.Mdropper.AC` or suspicious `.xls` files containing malformed OLE objects.
- **Detection Methods:**
- Use Endpoint Detection and Response (EDR) tools to monitor for suspicious child processes spawned by `excel.exe`.
- Scan network traffic for legacy Office file transfers from untrusted sources.
## References
- **Vendor Advisory:** hxxps[://]learn[.]microsoft[.]com/en-us/security-updates/securitybulletins/2009/ms09-009
- **CISA KEV Catalog:** hxxps[://]www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog
- **MSRC Update Guide:** hxxps[://]msrc[.]microsoft[.]com/update-guide/vulnerability/CVE-2009-0238