A malformed-object flaw in Microsoft Excel allows a crafted spreadsheet to execute arbitrary code on the opening user's system, and CISA added it to the Known Exploited Vulnerabilities catalog on 2026-04-14.
What Is It
CVE-2009-0238 is a remote code execution vulnerability in Microsoft Office Excel. A crafted Excel document triggers an access attempt on an invalid object, allowing a remote attacker to execute arbitrary code in the context of the user who opens the file. NVD classifies the weakness as CWE-94 (code injection) and scores it CVSS 3.1 8.8 HIGH (vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H); the legacy CVSS 2.0 score is 9.3. Exploitation requires user interaction; the victim must open the malicious file.
Why It Matters
CISA's KEV entry confirms active exploitation and gives federal agencies until 2026-04-28 to remediate. The NVD record notes the bug was exploited in the wild in February 2009 by Trojan.Mdropper.AC, meaning weaponized samples have existed for years. Successful exploitation yields complete control over the affected system; full confidentiality, integrity, and availability impact. Known ransomware use is listed as Unknown in the KEV entry. The low attack complexity and network attack vector mean any phishing lure carrying a malicious .xls is a viable delivery path against unpatched hosts.
What's Vulnerable
Per NVD, the affected products are:
- Microsoft Office Excel 2000 SP3, 2002 SP3, 2003 SP3, and 2007 SP1
- Excel Viewer (including Excel Viewer 2003 Gold and SP3)
- Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1
- Excel in Microsoft Office 2004 and 2008 for Mac
Patch Status
Microsoft addressed the issue in security bulletin MS09-009. CISA's required action is to apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Federal due date: 2026-04-28.