The US Cybersecurity and Infrastructure Security Agency (CISA) is warning federal agencies about a 17-year-old Excel vulnerability currently being used in active cyberattacks, according to go.theregister.com.
CISA added CVE-2009-0238 to its Known Exploited Vulnerability (KEV) catalog shortly after Microsoft released 165 patches on April 14. The agency has imposed a two-week deadline for federal civilian executive branch agencies to patch the flaw, which is one week shorter than the standard requirement.
While CISA has not specified the identity or motive of the attackers, the vulnerability is a remote code execution (RCE) issue. Attackers can trigger the flaw by tricking users into opening a specially crafted Excel document containing a malformed object, the outlet reported.
A legacy threat
The bug dates back to February 24, 2009. At the time of its initial disclosure, Microsoft warned that successful exploitation could allow attackers to take full control of an affected system.
"An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft stated in its original advisory, according to go.theregister.com.
The vulnerability affects several legacy versions of Microsoft Office, including Excel 2000, 2002, 2003, and 2007, as well as Excel Viewer and certain Mac versions from 2004 and 2008.
This resurgence of an old bug coincides with a massive Patch Tuesday from Microsoft. Alongside the Excel issue, CISA also recently added CVE-2026-32201 to its catalog. This more recent SharePoint Server spoofing flaw was exploited as a zero-day and allows attackers to manipulate data over a network.
