CVE-2009-0238

Microsoft Excel — Remote Code Execution via Invalid Object Access (17-Year-Old Zero-Day)
⚠️ CVSS 3.1  8.8 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What is Microsoft Excel?

Microsoft Excel is the world's most widely used spreadsheet application, part of the Microsoft Office suite. It is deployed across virtually every enterprise sector — finance, healthcare, government, and logistics — making it a perennial high-value target for threat actors. The ability to weaponize Excel files and deliver them via email or file share enables broad phishing campaigns with minimal technical barrier to entry for the attacker.

Overview

Actively Exploited — 17 Years Later. CVE-2009-0238 was originally patched in April 2009 but was added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on April 14, 2026 — confirming fresh, in-the-wild exploitation nearly two decades after it was first disclosed. Federal agencies must remediate by April 28, 2026.

CVE-2009-0238 is a remote code execution vulnerability in Microsoft Office Excel. Exploitation requires a user to open a specially crafted Excel file; when the malicious document is processed, Excel attempts to access an invalid object in memory, triggering memory corruption that allows an attacker to execute arbitrary code in the context of the logged-in user. The attack is delivered via email attachment or malicious download — no server-side exposure is required.

The vulnerability's re-emergence in 2026 underscores a persistent threat pattern: legacy Office vulnerabilities continue to be weaponized years or decades after patching because a significant subset of enterprise and government environments still run unpatched or legacy Office versions, and because phishing with malicious Office documents remains a dominant initial access technique.

Affected Versions

Product Vulnerable Version Fixed In
Microsoft Office Excel 2000 SP3 MS09-009 (April 2009)
Microsoft Office Excel 2002 SP3 MS09-009 (April 2009)
Microsoft Office Excel 2003 SP3 MS09-009 (April 2009)
Microsoft Office Excel 2007 SP1 MS09-009 (April 2009)
Microsoft Excel Viewer 2003 Gold, SP3 MS09-009 (April 2009)
Microsoft Excel Viewer (standalone) MS09-009 (April 2009)
Office Compatibility Pack SP1 (Word/Excel/PPT 2007 formats) MS09-009 (April 2009)
Microsoft Office for Mac 2004 MS09-009 (April 2009)
Microsoft Office for Mac 2008 MS09-009 (April 2009)

All versions listed above received patches in Microsoft Security Bulletin MS09-009 (Critical), released April 14, 2009.

Technical Details

The root cause is Excel's failure to validate object references before accessing them during document parsing. When a specially crafted .xls or .xlsx document is opened, Excel dereferences a pointer to an invalid or freed object in memory. This triggers memory corruption that an attacker can control to redirect execution flow.

Attribute Detail
CWE CWE-94 — Improper Control of Code Generation
Attack Vector Network (delivered via email/download)
Authentication Required None — anonymous attacker can send the malicious file
User Interaction Required — victim must open the malicious Excel file
Complexity Low — no heap spray or exploit chaining required
Privileges Gained Same as the logged-in user; SYSTEM-level if user is admin

The attack chain is straightforward: craft a malicious Excel document → deliver via spearphishing email → victim opens attachment → arbitrary code runs on victim's system.

Discovery

The vulnerability was first observed being exploited in the wild in February 2009, before any patch existed, making the original exploitation a zero-day attack. Microsoft acknowledged active exploitation in its security bulletin at the time of patching (April 2009). The initial attacker tooling was identified by Symantec as Trojan.Mdropper.AC — a dropper/loader designed to download and execute secondary malware payloads on the compromised host.

The 2026 re-exploitation that prompted the CISA KEV addition represents a new wave of active attacks leveraging the same underlying flaw in unpatched or legacy systems.

Exploitation Context

This vulnerability has a notable dual-exploitation timeline:

2009 (Original Zero-Day): Exploited by Trojan.Mdropper.AC as part of targeted attacks before Microsoft could issue a patch. The malware functioned as a first-stage loader, dropping additional payloads for persistent access.

2026 (Re-Emergence): CISA's KEV listing on April 14, 2026 — the same day as Microsoft's April Patch Tuesday — confirms fresh exploitation activity. The Register reported on the re-emergence under the headline "Ancient Excel bug comes out of retirement for active attacks." This pattern — where patched-but-ancient vulnerabilities are re-exploited — is increasingly common as threat actors target organizations that have fallen behind on patching legacy Office installs or still run Office 2003/2007-era software in isolated environments.

The simultaneous KEV listing with SharePoint CVE-2026-32201 on April 14, 2026 suggests a broader Microsoft-focused exploitation campaign may be underway.

Remediation

CISA BOD 22-01 Deadline: April 28, 2026. Federal agencies are required to apply mitigations. All organizations should treat this as urgent given active exploitation.
  1. Apply MS09-009 immediately if not already done — available from Microsoft Learn. Any Office 2007 or earlier installation that has not received all cumulative updates is at risk.
  2. Upgrade legacy Office versions — Office 2007 and earlier are long past end-of-life and no longer receive security updates. Upgrade to a supported Microsoft 365 or Office 2021+ version.
  3. Enable Protected View in Excel (File → Options → Trust Center → Protected View) — this opens files from the internet and email in a sandboxed read-only mode that blocks exploitation without user action.
  4. Block macro execution — while this CVE doesn't require macros, disabling VBA macros via Group Policy reduces the overall Office attack surface.
  5. Train users to not open unexpected Excel attachments — this vulnerability requires user interaction; awareness is a meaningful control.
  6. Review endpoint detection logs for suspicious Excel process spawning (e.g., EXCEL.EXE spawning cmd.exe, powershell.exe, or network-connecting processes), which may indicate active exploitation.

Key Details

PropertyValue
CVE ID CVE-2009-0238
Vendor / Product Microsoft — Office
NVD Published2009-02-25
NVD Last Modified2026-04-14
CVSS 3.1 Score8.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SeverityHIGH
CWE CWE-94 — Improper Control of Generation of Code ('Code Injection')
CISA KEV Added2026-04-14
CISA KEV Deadline2026-04-28
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2026-04-28. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Timeline

DateEvent
2009-02-25CVE-2009-0238 published; active exploitation in the wild observed (Trojan.Mdropper.AC)
2009-04-14Microsoft patches the vulnerability via Security Bulletin MS09-009 (Critical)
2026-04-14Added to CISA Known Exploited Vulnerabilities catalog — 17 years after patching, fresh exploitation confirmed
2026-04-28CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2009-0238 Vulnerability Database
Microsoft Security Bulletin MS09-009 (Critical) Vendor Advisory / Patch
CISA KEV Catalog Entry US Government
Ancient Excel bug comes out of retirement for active attacks — The Register News
CISA adds Microsoft SharePoint Server and Microsoft Office Excel flaws to KEV — Security Affairs News
Trend Micro — Microsoft Excel Unspecified Remote Code Execution Vulnerability Security Research
CWE-94 — Improper Control of Generation of Code Weakness Classification

Last updated: 2026-04-16

Gavin Hollinger & AI assembled this air-gap friendly HTML