ON 14 April 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE‑2009‑0238 to its Known Exploited Vulnerabilities (KEV) catalogue. The flaw affects Microsoft Office, specifically Excel, and is known as the Microsoft Office Remote Code Execution vulnerability. It allows an attacker to execute arbitrary code when a user opens a specially crafted Excel file containing a malformed object.
The vulnerability is a remote code execution issue in Excel’s handling of embedded objects. An attacker who can convince a victim to open a malicious Excel file can gain the same privileges as the current user, potentially leading to full system compromise. The Common Vulnerability Scoring System assigns it a score of 8.8, rated HIGH. The flaw is documented in Microsoft Security Bulletin MS09-009 and stems from improper validation of OLE objects within Excel workbooks. A security patch was released by Microsoft in March 2009 and remains available.
CISA’s inclusion indicates that active exploitation of CVE‑2009‑0238 has been observed in the wild. No public reporting links this flaw to ransomware campaigns at this time. Federal civilian executive branch (FCEB) agencies must apply the required mitigations by 28 April 2026, the remediation deadline set by CISA.
CISA directs affected agencies to apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. While the binding directive applies to FCEB organisations, all organisations should review their Office deployments for exposure and implement the recommended actions promptly. Organisations should also review email and web gateway controls to block unsolicited Office files from unknown senders.
For full technical details, see the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2009-0238 and the CISA KEV catalogue.