Ancient Excel bug comes out of retirement for active attacks

Steven

Ancient Excel bug comes out of retirement for active attacks

Summary

CISA has added a 17-year-old critical Microsoft Excel vulnerability (CVE-2009-0238) to its Known Exploited Vulnerabilities catalogue after confirming active exploitation. The flaw is a remote code execution issue that can be triggered when a user opens a specially crafted Excel document containing a malformed object. Microsoft originally patched the bug in 2009 after it was abused by a loader called Trojan.Mdropper.AC. Affected products are legacy Excel versions and viewers; CISA has imposed a two-week patch deadline for federal civilian agencies.

Key Points

  • CISA confirmed active exploitation of CVE-2009-0238 and added it to its KEV list.
  • The vulnerability is an RCE triggered by opening a specially crafted Excel file containing a malformed object.
  • Microsoft first patched the bug in 2009 after exploitation by Trojan.Mdropper.AC; affected versions are older Excel builds and viewers.
  • CISA gave federal civilian executive branch agencies two weeks to patch — shorter than the usual window.
  • Successful exploitation can allow attackers to run arbitrary code, install programs, and take full control under the victim’s account privileges.
  • The advisory provided few details about who is exploiting the flaw or their motives, which is common practice for KEV entries.
  • The notice was published alongside other recently exploited bugs (for example CVE-2026-32201 in SharePoint) highlighted during this Patch Tuesday.

Content Summary

CISA issued an alert after Microsoft rolled out its April Patch Tuesday updates, confirming that the long‑standing Excel vulnerability CVE-2009-0238 is again being abused in the wild. The bug allows remote code execution when a malformed object in an Excel document is opened. Microsoft fixed the problem back in 2009; at that time it was exploited by Trojan.Mdropper.AC. Despite the age of the flaw, CISA has moved it onto its KEV list and shortened the patch window for US federal civilian agencies to two weeks.

The advisory did not disclose technical exploitation details or the attackers’ identity. The Register points out that the move to the KEV catalogue is significant because it forces faster patching cycles for government bodies. The story was published alongside coverage of other exploited vulnerabilities fixed in this Patch Tuesday, including a recent SharePoint spoofing flaw used as a zero-day.

Context and Relevance

This is a reminder that legacy vulnerabilities can resurface and be weaponised long after they were first patched. Organisations that still allow older Office viewers or unpatched legacy Excel installations are at heightened risk. The CISA KEV listing raises the priority for US federal agencies — and is a useful signal for private sector risk teams to revisit patching and mitigations.

Key relevance: threat actors continue to exploit social engineering (malicious documents) to deliver loaders and follow‑on malware. Even old CVEs matter if the environment still contains vulnerable software or users are likely to open unsolicited spreadsheets.

Why should I read this?

Short version: ancient bugs bite. If you run old Excel viewers, haven’t patched legacy Office installs, or manage endpoints, this is a wake‑up call. CISA has escalated the issue — so patch, block, and remind users not to open random spreadsheets. We’ve skimmed the detail so you don’t have to.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2026/04/15/excel_exploit/