Exploit hits CVE-2009-0238 at 03:00

A 2009 Excel bug just became current again. That is the real story here — not that the flaw exists, but that CISA says attackers are actively using it now and put it on th(cisa.gov)trivia for vulnerability databases and becomes a real remediation deadline. For federal civilian agencies, that deadline for this one was April 28. (cisa.gov)own-exploited-vulnerabilities-catalog)) ### What is CVE-2009-0238? It is a remote code execution flaw in Microsoft Office Excel. A maliciously(cisa.gov) user. The affected products listed by NVD are old — Excel 2000, 2002, 2003, 2007 SP1, Excel Viewer variants, the Office compatibility pack, and Excel for Mac 2004 and 2008. (nvd.nist.gov) ### Why does a bug from 2009 still matter? Because “old” does not mean “gone.” Legacy Office components hang around in disconnected business workflows, long-lived desktops, archived VM images, industrial envi(cisa.gov)r phishing, and the victim only has to open the file. CISA’s KEV decision means there is evidence this is not theoretical anymore. (cisa.gov) ### What changed this month? CISA added CVE-2009-0238 and one SharePoint flaw to the KEV catalog in the same April 14 alert. The reason was simpl(nvd.nist.gov)lities that are being exploited in the wild and that pose meaningful risk to federal networks, so inclusion is a stronger signal than a high severity score sitting alone in NVD. (cisa.gov) ### Why is KEV different from a normal CVE listing? A CVE tells you a vulnerability exists. KEV tells you attackers are already using it. Under Binding Operation(cisa.gov) sets. For everyone else, the catalog is still a prioritization tool — basically a short list of bugs causing immediate harm in the real world. (cisa.gov) ### What does the exploit actually require? User interaction. The NVD entry says the attack works through a crafted Excel doc(cisa.gov)es this less like an internet-wide worm and more like a targeted foothold tool — but that is still plenty dangerous inside enterprises that pass spreadsheets around all day. (nvd.nist.gov) ### Who should worry most? Agencies first, because they had a hard deadline. But big enterprises should care too, especially ones with old Office estates, compatibility packs, terminal (cisa.gov)e looks obsolete on paper. KEV status is CISA’s way of saying that instinct is wrong here. (cisa.gov) ### So what should defenders do now? Hunt for the affected Office and Viewer versions, not just modern Microsoft 365 installs. Block or sandbox risky Office attachments, review email detections around spreads(nvd.nist.gov)t realistic. If a legacy exception still exists, it needs executive visibility now — because attackers clearly know these leftovers still open doors. (cisa.gov) ### Bottom line This is the part defenders forget: attackers do not care how old a bug is. They care whether it still works. C(cisa.gov) present-tense patching problem. (cisa.gov)