🟢 CVE-2009-0556

Microsoft PowerPoint memory corruption vulnerability that allows remote code execution when a user opens a specially crafted PowerPoint file. Despite being in CISA KEV, this is a client-side application vulnerability requiring user interaction, not a server-side exploit.

← Back to Overview
LOW_RISK
Risk Level
8.8
CVSS Score
NETWORK
Attack Vector
Execution
ATT&CK Tactic
T1203 — Exploitation for Client Execution
ATT&CK Technique
VERY_LOW
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: USER_INTERACTION

CVE Published: 2009-04-03

Added to CISA KEV: 2026-01-07 6123 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-06-03)

CVE-2009-0556 is a critical memory corruption vulnerability in Microsoft Office PowerPoint that has recently regained attention due to its inclusion in the Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) Catalog in January 2026 [2] [3].

Overview and Impact
  • Vulnerability Type: Memory corruption (specifically within the `OutlineTextRefAtom` framework) [1] [3].
  • Impact: Successful exploitation allows a remote attacker to execute arbitrary code with the privileges of the logged-in user [3]. This can lead to full system compromise, malware deployment, and lateral movement within a network [4] [3].
Exploitation and Attack Method
  • Method: Attackers exploit the vulnerability by sending a specially crafted PowerPoint file containing an invalid index value within an `OutlineTextRefAtom` structure [1] [3].
  • Requirements: Exploitation typically requires user interaction, such as opening the malicious file.
  • Active Exploitation: While originally exploited in the wild in April 2009 (e.g., by `Exploit:Win32/Apptom.gen`), its recent addition to the CISA KEV catalog confirms that it remains a target for threat actors today, particularly in environments that continue to run legacy, unpatched versions of Microsoft Office [1] [5] [6].
Affected Products and Mitigation
  • Affected Versions:
* Microsoft Office PowerPoint 2000 SP3 * Microsoft Office PowerPoint 2002 SP3 * Microsoft Office PowerPoint 2003 SP3 * Microsoft Office 2004 for Mac [1]
  • Status: This is a legacy vulnerability. The primary mitigation is to ensure that no systems are running these outdated and unsupported versions of Microsoft Office. Organizations are advised to follow the guidance provided in CISA's Binding Operational Directive (BOD) 22-01, which mandates the remediation of vulnerabilities listed in the KEV catalog [1] [6].

Sources

  1. CVE-2009-0556 Detail - NVD

    This CVE is in CISA's Known Exploited Vulnerabilities Catalog. Reference CISA's BOD 22-01 and Known Exploited Vulnerabilities Catalog for further guidance and ... This CVE is in CISA's Known Exploited Vulnerabilities Catalog Reference CISA's BOD 22-01 and Known Exploited Vulnerabilities Catalog for…

  2. CISA Adds Two Known Exploited Vulnerabilities to Catalog

    CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2009-0556…

  3. CISA Alerts on Actively Exploited Microsoft PowerPoint Code Injection Flaw

    The Cybersecurity and Infrastructure Security Agency (CISA) has escalated warnings about a critical Microsoft PowerPoint vulnerability, adding CVE-2009-0556 to its catalog of known exploited vulnerabilities after confirming active exploitation in the wild. The flaw, which enables attackers to execut…

  4. Microsoft Security Bulletin MS09-017 - Critical

    An attacker who successfully exploited any of these vulnerabilities could take complete control of an affected system. An attacker could then ...

  5. January 2026 CVE Landscape: 23 Critical Vulnerabilities ...

    CVE-2009-0556 (Microsoft Office) highlights how threat actors continue targeting unretired systems where patching has lagged for over a decade. ... Why this matters: WordPress plugin vulnerabilities enable threat actors to compromise multiple sites from a single centralized management platform, ampl…

  6. CISA Warns of Exploited PowerPoint Vulnerability | LinkedIn

    CVE-2009-0556 affects Microsoft Office PowerPoint and enables code injection attacks. The vulnerability dates to 2009 but continues to present exploitation risk in environments running legacy Office versions. CVE-2024-43451 impacts Windows NT LAN Manager and allows elevation of privilege attacks. Fe…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed