- CISA adds an 18-year-old Excel bug (CVE-2009-0238) to the KEV catalog
- Vulnerability enables RCE via malicious Excel files, patched long ago
- Outdated systems still at risk; agencies ordered to patch by April 28
As incredible as it sounds, there are still systems out there that are vulnerable to 18-year-old Microsoft Excel vulnerabilities, and it’s no surprise that cybercriminals are taking advantage of that fact.
The US Cybersecurity and Infrastructure Security Agency (CISA) recently updated its catalog of known exploited vulnerabilities (KEV) – a list of flaws confirmed to be exploited in the wild – to add CVE-2009-0238, a bug in Microsoft Excel first discovered in 2009.
According to the National Vulnerability Database (NVD), the flaw allows threat actors to execute arbitrary code (RCE) via a crafted Excel document “that triggers an access attempt on an invalid object”.
The article continues below
A week to patch
This vulnerability, given a severity score of 8.8/10 (High), was first observed by delivering the Trojan.Mdropper.AC malware.
It affects Microsoft Office Excel 2000 SP3, 2002 SP3, 2003 SP3, and 2007 SP1; Excel Viewer 2003 Gold and SP3; Excel Viewer; Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1; and Excel in Microsoft Office 2004 and 2008 for Mac. It was patched literally ages ago.
Even so, it appears that there are systems out there still using this severely outdated and thus vulnerable software. CISA added the error to the KEV on April 14, 2026 and gave FCEB agencies one week to correct (April 28).
Other than that, we don’t know much about who is exploiting the flaw and for what purpose. CISA could not say whether the bug was used in ransomware infections or not. We can assume that the attacks include a phishing email with a weaponized Excel document.
Also, if we assume that unlisted versions are safe, this would mean that anyone running these is not at risk:
Excel 2007 (SP2 and later)
Excel 2010
Excel 2013
Excel 2016
Excel 2019
Excel 2021
Excel for Microsoft 365 (all versions)
Excel for Mac (versions newer than 2008).
Via The register
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
