by kieren

Ancient Excel bug drags itself out of the grave

asset management CISA KEV CVE-2009-0238 CVE-2026-32201 cybersecurity Excel RCE Known Exploited Vulnerabilities legacy Office systems legacy software risk Microsoft Excel vulnerability Microsoft Office security patch management Patch Tuesday SharePoint spoofing vulnerability management

Intro

There is something almost comforting about old Microsoft bugs. Like a favourite cardigan, or a radiator that knocks in the night, they never really go away. They just wait.

This week, while Microsoft was busy dumping a wheelbarrow full of Patch Tuesday fixes onto the lawn, CISA quietly reminded everyone that a 17-year-old Excel vulnerability is now being actively exploited again.

Yes. A vulnerability from 2009. Old enough to drive. Old enough to have opinions about music. Old enough, frankly, to know better.

And yet here we are.

Excel

Excel, but make it remote code execution

The bug in question is CVE-2009-0238, a critical Excel remote code execution vulnerability with a CVSS score of 9.3.

The trick is wonderfully, depressingly familiar. An attacker sends you a specially crafted Excel file containing a malformed object. You open it. Excel has a small internal crisis. The attacker gets code execution.

That is it. No quantum hacking. No cyber-ninja backflip. Just a poisoned spreadsheet and a victim prepared to click on it.

CISA has now added the flaw to its Known Exploited Vulnerabilities catalogue, which is government-speak for this is no longer theoretical, please stop pretending it is somebody else's problem.

Retirement was clearly not for everyone

Microsoft originally disclosed and patched this bug back in February 2009, when it was seen in the wild being exploited by Trojan.Mdropper.AC, a loader used to pull down additional malware.

In other words, this is not even a new trick. It is an old trick, wearing an old coat, walking back into the building because nobody changed the locks.

At the time, Microsoft warned that successful exploitation could give an attacker complete control of the affected system. Install programs, change or delete data, create new accounts, the usual cheerful possibilities.

And here is the really magnificent bit: CISA has given federal agencies two weeks to patch it. Normally they get three. So even the people whose job titles contain the word bureaucracy have looked at this one and said, “No, actually, get on with it.”

What does it hit

The list of affected software is a little museum exhibit of old Microsoft Office history:

  • Microsoft Office Excel 2000 SP3
  • Microsoft Office Excel 2002 SP3
  • Microsoft Office Excel 2003 SP3
  • Microsoft Office Excel 2007 SP1
  • Excel Viewer 2003 Gold and SP3
  • Excel Viewer
  • Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1
  • Excel in Microsoft Office 2004 for Mac
  • Excel in Microsoft Office 2008 for Mac

So yes, some of this should absolutely have been retired years ago. But if experience has taught us anything, it is that somewhere, in some office, behind some cupboard, there is still a system running one of these because Barry in accounts says the new one feels different.

The real lesson here

Whenever a bug this old shows up in active exploitation again, the lesson is rarely that attackers are unusually clever. The lesson is usually that defenders are still carrying far too much old junk.

Legacy software does not become safe simply because it is embarrassing. It just becomes forgotten. And forgotten technology is often the easiest thing in the world to abuse.

This is the bit many organisations still do not grasp: patching is only half the answer. The other half is asset management, software lifecycle control, and occasionally walking around with a clipboard asking, “Why is this machine still alive?”

Not just Excel, of course

CISA also added a more recent flaw to the KEV catalogue: CVE-2026-32201, a SharePoint Server spoofing vulnerability fixed in this month's Patch Tuesday.

That one is more modern, more polished, and more in keeping with today's fashionable enterprise misery. Microsoft says it was exploited as a zero-day. The underlying issue is improper input validation, which allows attackers to spoof data over a network.

Translated into plain English: an attacker can make bad information look trustworthy inside a system people already trust.

And that is where this gets nasty. Not because it is technically exotic, but because it is socially useful. If you can falsify what people see in a trusted SharePoint environment, you can support phishing, fraud, social engineering, and all the other delightful arts of modern business disruption.

It is not about smashing the front door in. It is about putting on a high-vis vest, carrying a clipboard, and being waved straight through.

Overview

The old Excel bug matters because it is old. That is precisely why it is interesting.

It tells us that ancient weaknesses do not disappear just because the industry has found shinier disasters to talk about. They sit there, quietly fermenting, until someone remembers them.

Which, this week, somebody clearly did. So if you are still carrying legacy Office deployments, forgotten Excel viewers, or random compatibility packs installed during the reign of Gordon Brown, now would be an excellent time to go and have an awkward conversation with your estate.

Because the attackers, as ever, are not asking whether software is old.

They are asking whether it still works.