Ancient Excel bug comes out of retirement for active attacks

April 15, 2026
aisecuritylawhardware
Close-up of an elderly woman holding a pen with a financial report.
Photo by RDNE Stock project on Pexels

What happened

It has been reported that the US Cybersecurity and Infrastructure Security Agency (CISA) added a 17‑year‑old Microsoft Excel flaw, CVE‑2009‑0238, to its Known Exploited Vulnerabilities (KEV) catalog after it was observed in active attacks. The move came shortly after Microsoft rolled out a bumper Patch Tuesday with 165 fixes on April 14. CISA set a two‑week deadline for federal civilian executive branch agencies to patch the issue — one week less than the usual window. Who expected a teenaged bug to make a comeback?

The bug

CVE‑2009‑0238 is a remote‑code‑execution vulnerability that can be triggered when a victim opens a specially crafted Excel document containing a malformed object. Microsoft first fixed the flaw in 2009 after it was exploited by Trojan.Mdropper.AC, a loader used to deliver follow‑on malware. The vulnerability affects legacy Excel and viewer builds — Excel 2000/2002/2003/2007 (and various viewers and Mac Office 2004/2008 variants) — and, if successfully exploited, could give an attacker complete control of an affected system, Microsoft warned at the time.

Why this matters

CISA did not disclose many details about how the flaw is currently being abused, nor who is behind the activity, it has been reported that — a familiar refrain when KEV listings go up. The emotional sting here is simple: an old, patched bug coming back around means defenders must revisit assumptions. Patches for modern systems are straightforward; the real headache is environments still running legacy Office builds or sloppy document‑handling policies. Time is short and the potential impact is high.

Context and next steps

CVE‑2009‑0238 was listed alongside a more recent SharePoint issue, CVE‑2026‑32201, which Microsoft confirmed was exploited as a zero‑day. Industry voices warn the SharePoint flaw can let attackers fake trusted content at scale and be used in phishing campaigns — a neat trick for social engineers. Organizations should prioritize applying available patches, tighten document handling and email filtering, and audit legacy Office installs. Old bugs don’t always stay retired.

Sources: The Register