CVE-2009-0238 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: USER_INTERACTION

CVE Published: 2009-02-25

Added to CISA KEV: 2026-04-14 6257 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs, check for unauthorized access, verify system integrity
Apply Microsoft Security Bulletin MS09-009 immediately to patch affected Excel versions
Implement email security controls to block malicious Excel attachments
Enable Office document protection features and disable macros by default
Monitor for suspicious Excel process behavior and unexpected network connections
High patch priority for all desktop environments due to KEV listing and active exploitation

🔍 Web Intelligence (Kagi · 2026-06-03)

CVE-2009-0238 is a significant remote code execution (RCE) vulnerability affecting legacy versions of Microsoft Office Excel ^[2]. Despite its age, it has recently regained attention due to its inclusion in the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog, indicating it is currently being actively exploited in the wild ^[5] ^[3].

Exploitation and Impact

Attack Method: The vulnerability is triggered when a user opens a specially crafted Excel document that causes an invalid object access attempt ^[1].
Requirements: Successful exploitation requires user interaction—specifically, the victim must open the malicious file ^[1].
Impact: Successful exploitation allows a remote attacker to execute arbitrary code within the security context of the current user ^[2]. This can lead to unauthorized system access, data exfiltration, or further compromise of the host machine ^[2].

Threat Landscape

Active Exploitation: The vulnerability is currently being actively exploited in the wild ^[3]. It has been associated with malware such as `Trojan.Mdropper.AC` ^[2].
Targeted Attacks: While specific campaigns are often not publicly detailed, the inclusion in the KEV catalog underscores its continued utility to threat actors for document-based attacks, which remain a highly effective vector ^[3].

Affected Products and Mitigation

The vulnerability affects several legacy Microsoft Office products:

Microsoft Office Excel: 2000 SP3, 2002 SP3, 2003 SP3, and 2007 SP1 ^[1].
Other Components: Excel Viewer 2003 (Gold and SP3), general Excel Viewer, Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1, and Excel in Microsoft Office 2004 and 2008 for Mac ^[1].

Status: This vulnerability was patched by Microsoft long ago. However, because it remains a viable vector for document-based attacks, organizations using outdated or legacy systems are at significant risk and are urged to ensure all applicable security updates are applied to mitigate the threat ^[4] ^[3].

Sources

NVD - CVE-2009-0238
An official website of the United States government Here's how you know ... CVE-2009-0238 Detail. Deferred. This CVE record is not being prioritized for NVD enrichment efforts due to resource or other concerns. Description. Microsoft Office Excel 2000 SP3, 2002 SP3, 2003 SP3, and 2007 SP1; Excel Vie…
CVE-2009-0238 Microsoft Office Excel RCE Security... | IntrusionScope
CVE-2009-0238 is a significant Remote Code Execution (RCE) vulnerability affecting various legacy versions of Microsoft Office Excel. Classified under CWE-94 (Improper Control of Generation of Code), this flaw allows attackers to execute arbitrary code with the security context of the current user.
CISA Adds CVE-2009-0238 and CVE-2026-32201 to KEV: Patch Exploited ...
CVE-2009-0238 is old, but it is still dangerous because document-based exploitation remains effective. CVE-2026-32201 is new, but it lands in a product family with a long history of attacker interest. Active exploitation is the key detail that moves both flaws into the KEV queue. ... CVE-2009-0238 i…
An ancient Microsoft Excel security flaw could let hackers hijack your ...
According to the National Vulnerability Database (NVD), the bug allows threat actors to execute arbitrary code (RCE) via a crafted Excel ... CISA adds 18‑year‑old Excel flaw (CVE‑2009‑0238) to KEV catalog Vulnerability enables RCE via malicious Excel files, patched long ago Outdated systems still at…
cve-2009-0238 - NVD - National Institute of Standards and Technology
This CVE is in CISA's Known Exploited Vulnerabilities Catalog. Reference CISA's BOD 22-01 and Known Exploited Vulnerabilities Catalog for further guidance and ...