What happened

CISA has added CVE-2009-0238 to the Known Exploited Vulnerabilities (KEV) catalog, signaling confirmed in-the-wild exploitation and setting a remediation due date of 2026-04-28 CISA KEV. The entry tracks a Microsoft Office Excel remote code execution (RCE) flaw triggered when a user opens a specially crafted spreadsheet containing a malformed object NVD CVE-2009-0238. The vulnerability is classified under code-injection risk (CWE-94) and is documented by both NVD and MITRE under the same CVE identifier NVD CVE-2009-0238 MITRE CVE record.

CISA’s required action is to apply vendor mitigations or discontinue use if none are available, consistent with KEV policy for actively exploited weaknesses CISA KEV. NVD confirms the target product scope as Microsoft Office/Excel and reiterates the user-open trigger condition for code execution NVD CVE-2009-0238.

Why it matters

File-open RCEs short-circuit traditional user-awareness defenses because exploitation begins as soon as the document is opened, not when macros run or external content is fetched NVD CVE-2009-0238. CISA’s KEV inclusion elevates this from "old CVE" to an active operational risk with a concrete response timeline for defenders CISA KEV. The CWE-94 classification highlights that this is code-generation/processing gone wrong in Excel’s object handling, not a policy toggle or trust setting you can safely wish away NVD CVE-2009-0238.

Enterprises still process legacy spreadsheets and inbound partner files daily, keeping this attack surface present across email gateways and file-sharing flows CISA KEV. With CISA confirming exploitation pressure, any residual exposure becomes a high-ROI path for initial access via document lures NVD CVE-2009-0238.

Technical detail

The vulnerability allows code execution when Excel parses a specially crafted file that embeds a malformed object, triggering unsafe processing that an attacker can control NVD CVE-2009-0238. This is a user-assisted vector: the exploit condition is met when the victim opens the crafted spreadsheet, aligning with Office’s historical file-parsing bug class where crafted records corrupt internal state NVD CVE-2009-0238. MITRE’s record confirms the identifier and ties it to the same underlying Excel RCE behavior tracked by the broader community MITRE CVE record.

NVD references the Microsoft security guidance that originally addressed Excel RCE issues in the 2009 timeframe (commonly known as MS09-009), anchoring this CVE in the vendor’s patch lineage for file-format parsing vulnerabilities NVD CVE-2009-0238. The flaw is mapped to CWE-94 (Improper Control of Generation of Code), indicating that attacker-controlled content influences the code path during object handling NVD CVE-2009-0238. Practically, that means the risk is independent of macro settings and can trigger before any scripted content would be evaluated, as the parser itself encounters the malicious object structure on open NVD CVE-2009-0238.

Because this is a document-parsing bug, common delivery channels include any workflow that convinces a target to open the file, consistent with KEV’s categorization of user-open RCEs as active exploitation candidates CISA KEV. The vulnerability scope is Microsoft Office (Excel), with exploitation requiring no authentication beyond the victim’s open action NVD CVE-2009-0238.

Defense

Immediate actions:

• Prioritize remediation for all environments where Excel files may be opened, using the CVE as the tracking key across tooling and change tickets CISA KEV NVD CVE-2009-0238.
• Apply vendor mitigations/updates that address CVE-2009-0238 in accordance with CISA’s KEV directive and your patch SLAs CISA KEV MITRE CVE record.

Compensating controls while patching:

• Treat inbound Excel files from external or untrusted sources as high risk and route through sandboxing/detonation prior to user delivery, tuned for object-parsing anomalies tied to this CVE’s behavior NVD CVE-2009-0238.
• Enforce stricter file-handling policies on email and file-transfer paths that carry spreadsheets, with content inspection for malformed object structures where feasible NVD CVE-2009-0238.
• Monitor for suspicious Office behaviors during document open, such as unexpected process spawns from Excel, and alert at low thresholds while KEV pressure remains high CISA KEV.

Validation:

• Correlate vulnerability scans and asset inventories against CVE-2009-0238 to ensure coverage parity across Office installations and VDI pools NVD CVE-2009-0238.
• Use secure-open workflows (isolated viewers, app sandboxes) for unknown spreadsheets until patch verification is complete, then step down controls as risk recedes CISA KEV.

Lyrie Verdict

This is a document-open RCE in Excel: an attacker’s payload runs when the victim opens a crafted spreadsheet with a malformed object NVD CVE-2009-0238. Against adversaries (human or autonomous) that can mass-generate spreadsheet lures, defense must operate before the click completes. Lyrie ingests Excel files at machine speed, detonates them pre-delivery, and blocks on observed object-parsing anomalies consistent with this CVE’s trigger path, without waiting for analyst triage NVD CVE-2009-0238. We also enforce live policy when a file slips through: Excel execution is fenced, and suspicious child-process or memory behaviors during open are auto-contained in milliseconds, closing the window this KEV-class bug relies on CISA KEV.