CISA adds long‑standing CVE‑2007‑0671 to KEV after telemetry shows active attacks

This is an Office bug story, but really it’s a legacy-systems story. CISA has now flagged CVE-2007-0671 — a remote-code-execution flaw in Microsoft Excel — as a Known Exploited Vulnerability, which means the U.S. government has enough evidence to say attackers are still using it in the wild. That is the part that matters. Not that the bug is old. The surprise is that it is old and still operationally relevant. (cisa.gov) ### What is this bug, exactly? CVE-2007-0671 is the old “Excel malformed record” vulnerability. The basic trick is simple — an attacker sends or hosts a specially crafted spreadsheet, the target opens it, and Excel can end up executing attacker-controlled code. Microsoft originally documented it in security bulletin MS07-015 back on February 13, 2007, with an update later in 2008. (learn.microsoft.com) ### Which products were affected? The original affected set was very legacy-heavy: Microsoft Excel 2000, Excel 2002/XP, Excel 2003, and Office 2004 for Mac, with related Office suites also in scope through the shared Excel component. NVD still describes it as a remote, user-assisted code-execution issue and shows a high-severity score, with the user interaction piece being important — the file has to be opened. (nvd.nist.gov) ### Why does a 2007 bug matter in 2026? Because KEV is not a museum. CISA only adds CVEs that have a real identifier, reliable evidence of active exploitation, and a clear remediation path. So when a 19-year-old Excel flaw lands in KEV, the signal is not “remember this old thing.” The signal is “someone is using this old thing now, against systems that still exist now.” (cisa.gov)d when CISA added it to KEV? KEV status changes prioritization. For Federal Civilian Executive Branch agencies, vulnerabilities in the catalog are not just informational — they come with remediation deadlines under Binding Operational Directive 22-01. CISA also pushes private-sector defenders to treat KEV entries as a top input into patching and exposure management, even when the directive does not legally bind them. (cisa.gov) ### So is this really about Excel files? Partly, but the bigger issue is inventory. A bug like this survives because old Office versions survive — on isolated desktops, line-of-business systems, lab machines, thin-client environments, and forgotten virtual images. Security teams usually optimize for shiny new CVEs. KEV keeps dragging attention back to the boring truth: attackers love old(cisa.gov) inference from the KEV criteria plus the age and product scope of this CVE. (cisa.gov) ### What should defenders do first? Start with asset discovery, not panic. Find any systems still running affected Office generations or bundled legacy images. Then block or tightly control spreadsheet delivery paths, review email and web filtering for malicious Office documents, and apply vendor mitigations or retire the product where patches are no longe(cisa.gov)s are unavailable. (cisa.gov) ### Is ransomware part of this story? CISA’s catalog entry for this CVE marks ransomware use as “Unknown,” so there is no public government statement tying this specific flaw to ransomware campaigns. But KEV inclusion alone means active adversary use is established, which is enough to move it into the urgent bucket for defenders. (cisa.gov)son is not that Excel is uniquely cursed. It’s that legacy software never becomes harmless just because it becomes embarrassing. CISA just turned a 2007 spreadsheet bug into a 2026 operations problem — and any organization with forgotten Office installs should read that as a very direct warning. (cisa.gov)