🚨 CRITICAL ALERT: Active Zero-Day Exploits

CISA added CVE-2009-0238 (CVSS 8.8) to the KEV catalog on April 14, 2026, confirming active exploitation of this 17-year-old Microsoft Office Excel remote code execution vulnerability, alongside CVE-2026-32201 in SharePoint. Unpatched systems remain critically exposed to arbitrary code execution via malicious Excel files, as seen in wild exploits since 2009.

Critical Vulnerabilities (CVSS >= 8.0)

• CVE-2009-0238 (CVSS: 8.8): Microsoft Office Excel 2000 SP3, 2002 SP3, 2003 SP3, 2007 SP1; Excel Viewer 2003; Compatibility Pack SP1; Excel in Office 2004/2008 for Mac allow remote attackers to execute arbitrary code via crafted Excel documents triggering invalid object access. Actively exploited in the wild since 2009 and newly confirmed by CISA.View NVD | CISA KEV
• CVE-2026-32201 (CVSS: >=8.0): Microsoft SharePoint Server improper input validation flaw enabling remote code execution. Added to CISA KEV due to evidence of active exploitation.View NVD | CISA KEV

⚡ Immediate Actions Required

Federal civilians and critical infrastructure must remediate within 21 days per CISA BOD 22-01. Prioritize:

• Patch all affected Microsoft Office and SharePoint instances immediately using Microsoft Security Bulletin MS09-023 for CVE-2009-0238.
• Block malicious Excel files via email/web gateways; disable legacy Office formats.
• Inventory unpatched legacy systems—age does not equal safety; isolate or air-gap if unpatchable.
• Hunt for indicators: Trojan.Mdropper.AC and crafted .xls files; monitor for anomalous Excel processes.
• Report incidents to CISA via CISA Reporting.

Active exploitation confirmed—patch now to block RCE chains.