While Microsoft was rolling out its bumper Patch Tuesday updates this week, US cybersecurity agency CISA was readying an alert about a 17-year-old critical Excel flaw now under exploit.
CISA confirmed shortly after Microsoft rolled out 165 patches on April 14 that CVE-2009-0238 (9.3), first published on February 24, 2009, was being abused in active attacks.
It added the bug to its Known Exploited Vulnerability (KEV) catalog and set a two-week deadline for federal civilian executive branch (FCEB) agencies to patch – one week less than they usually get.
CISA did not reveal much about how the Excel vulnerability is being exploited, nor by whom or for what purpose, as is often the case with its KEV publications.
However, its description of CVE-2009-0238 is unchanged from Microsoft's initial advisory. We know that it's a remote code execution (RCE) issue that attackers can trigger by convincing victims to open a specially crafted Excel document that "includes a malformed object."
Microsoft notified the community and issued a fix for CVE-2009-0238 when it was first discovered being exploited by Trojan.Mdropper.AC, a loader used to deliver other malware in follow-on attacks.
It affects the following versions:
"An attacker who successfully exploited these vulnerabilities could take complete control of an affected system," Microsoft said in an advisory at the time of its initial disclosure in 2009.
"An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
Joining CVE-2009-0238 in CISA's KEV catalog was a far more recent vulnerability, one that was addressed in this week's Patch Tuesday – CVE-2026-32201 (6.5).
The SharePoint Server spoofing flaw was exploited as a zero-day, Microsoft confirmed in its advisory. It did not say who was behind it, however.
The flaw exists because of improper input validation, allowing attackers to spoof data over a network. Successful exploits can give attackers access to sensitive information and the ability to alter disclosed information.
As Mike Walters, president and co-founder of patch management provider Action1, told The Register this week: "By exploiting this flaw, an attacker can manipulate how information is presented to users, potentially tricking them into trusting malicious content."
Walters added that the vulnerability could feasibly be used as part of phishing campaigns or other forms of social engineering attacks.
"The flaw lets attackers fake trust at scale: what looks legitimate may actually be a carefully crafted deception. It can be used to deceive employees, partners, or customers by presenting falsified information within trusted SharePoint environments." ®
Source: The register