ACCORDING to CISA, the Known Exploited Vulnerabilities (KEV) Catalog lists CVE-2009-0238, describing Microsoft Office Remote Code Execution: Microsoft Office Excel could allow an attacker to take complete control of an affected system if a user opens a specially crafted Excel file containing a malformed object. The entry notes a related CWE of CWE-94 and states that it is Unknown whether it has been Used in ransomware campaigns.
Action recommended includes applying mitigations per vendor instructions, following applicable guidance for cloud services, or discontinuing use of the product if mitigations are unavailable. The record shows Date Added as 14 April 2026 and Due Date as 28 April 2026. Additional references linked in the entry point to Microsoft security bulletins from 2009 and the NVD page for CVE-2009-0238.
This KEV listing emphasises the ongoing importance of prioritising vulnerability management and applying available mitigations to reduce exposure to exploited flaws in widely used software.