Technology

CVE-2009-0238

17-year-old Microsoft Office RCE vulnerability added to CISA KEV on 14 April 2026 as actively exploited in legacy healthcare and public-sector deployments.

Last refreshed: 17 April 2026 · Appears in 1 active topic

Key Question

How is a 17-year-old Microsoft Office bug being actively used to hack computers in 2026?

Timeline for CVE-2009-0238

#117 Apr

17-year-old Office RCE back on KEV

Cybersecurity: Threats and Defences

View full timeline →

Follow Cybersecurity: Threats and Defences →

Common Questions

How can a bug from 2009 still be used to hack computers?: CVE-2009-0238, a Microsoft Office macro-based RCE patched in 2009, remains exploitable in about 30% of legacy Office deployments that never applied the fix. CISA added it to KEV in April 2026 as actively exploited in healthcare and public-sector environments.Source: CISA KEV

Background

CVE-2009-0238 is a Remote Code Execution vulnerability in Microsoft Office, originally disclosed in 2009, that was added to the CISA Known Exploited Vulnerabilities catalogue on 14 April 2026 as actively exploited in the wild. The vulnerability operates through macro-based attack chains and remains effective in approximately 30 per cent of unpatched legacy Office deployments, particularly in healthcare and the public sector where older software versions persist.

The CVE was patched by Microsoft in 2009 but persists in environments that have never applied the fix or that run versions of Office predating modern update mechanisms. Its reactivation in 2026 reflects a documented attacker behaviour: mining older CVE databases for vulnerabilities that remain exploitable in specific legacy-software populations. The macro execution path is simple and does not require sophisticated exploitation capability, making it accessible to a wide range of threat actors.

For public-sector CIOs and healthcare IT leaders, CVE-2009-0238's KEV addition is a board-level consequence: legacy Office estate is now a KEV compliance obligation, not a technical-debt backlog item. Any FCEB agency with unpatched Office deployments from that era has a mandatory remediation deadline. For private-sector organisations in scope of NCSC guidance, CISA's KEV addition provides the external evidence base for emergency upgrade prioritisation.

How the World Sees Them

CISA

Adding a 17-year-old CVE to KEV as actively exploited is a public signal that legacy Office estate in federal and healthcare environments is an ongoing, live attack surface.

Attackers

Mining ancient CVE databases for vulnerabilities effective against specific legacy-software populations is a low-cost, low-risk technique that extends an attacker's effective toolset without requiring new exploit development.

Healthcare and public sector

Legacy Office deployments in NHS trusts and US government agencies face a direct KEV compliance obligation; the CVE's age does not diminish its current enforceability.