Ancient Excel bug comes out of retirement for active attacks • The Register

https://www.theregister.com/2026/04/15/excel_exploit/

Publish Date: 2026-04-15 07:46:00

While Microsoft was rolling out its bumper Patch Tuesday updates this week, US cybersecurity agency CISA was readying an alert about a 17-year-old critical Excel flaw now under exploit.

CISA confirmed shortly after Microsoft rolled out 165 patches on April 14 that CVE-2009-0238 (9.3), first published on February 24, 2009, was being abused in active attacks.

It added the bug to its Known Exploited Vulnerability (KEV) catalog and set a two-week deadline for federal civilian executive branch (FCEB) agencies to patch – one week less than they usually get.

CISA did not reveal much about how the Excel vulnerability is being exploited, nor by whom or for what purpose, as is often the case with its KEV publications.

However, its description of CVE-2009-0238 is unchanged from Microsoft’s initial advisory. We know that it’s a remote code execution (RCE) issue that attackers can trigger by convincing victims to open a specially crafted Excel document that “includes a malformed object.”

Microsoft notified the community and issued a fix for CVE-2009-0238 when it was first discovered being exploited by Trojan.Mdropper.AC, a loader used to deliver other malware in follow-on attacks.

It affects the following versions:

Microsoft Office Excel 2000 SP3, 2002 SP3, 2003 SP3, and 2007 SP1
Excel Viewer 2003 Gold and SP3
Excel Viewer
Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1
Excel in Microsoft Office 2004 and 2008 for Mac

“An attacker who successfully exploited these vulnerabilities could take complete control of an affected system,” Microsoft said in an advisory at the time of its initial disclosure in 2009.

“An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system…

Source