[KEV] CVE-2009-0238 -- CVSS 0.0 Vulnerability Briefing

[KEV] CVE-2009-0238 | CVSS 0.0 (Low) | Exploit: Operational

What Is It

CVE-2009-0238 is a remote code execution vulnerability in Microsoft Office Excel, triggered when a user opens a specially crafted Excel file containing a malformed object.

Technical Detail

The flaw involves improper handling of a malformed object embedded within an Excel file, which can corrupt memory in a way that allows arbitrary code execution in the context of the logged-in user. An attacker exploits this through a user-interaction vector, typically delivering the malicious file via email attachment, download link, or shared document. Successful exploitation grants the attacker complete control of the affected system, with privileges equivalent to the current user.

Exploitation Status

The exploit maturity for this vulnerability is rated Operational, meaning functional exploit code exists and has been used in real-world attacks. CISA has confirmed active exploitation in the wild, adding this vulnerability to the Known Exploited Vulnerabilities catalog on April 14, 2026. Despite the age of this vulnerability, its presence on the KEV catalog indicates it remains a viable attack vector in current threat activity.

Who Is Targeting This

No specific threat actor attribution is confirmed at this time. The absence of attribution data does not reduce the risk, as the operational exploit maturity and KEV listing indicate active use by unspecified actors.

What To Do

Organizations should apply all available Microsoft security patches for the affected Office Excel versions immediately. Per CISA's Known Exploited Vulnerabilities catalog, federal agencies operating under BOD 22-01 are required to remediate this vulnerability by the deadline associated with the April 14, 2026 KEV listing. Where patching cannot be completed immediately, organizations should restrict the opening of Excel files from untrusted sources, disable automatic execution of embedded objects in Office applications via Group Policy, and consider enabling Protected View settings in Microsoft Office to reduce exposure. Detection efforts should focus on monitoring for suspicious child processes spawned by Excel, as well as anomalous network connections originating from Office application processes.