17APR

17-year-old Office RCE back on KEV

3 min read

13:56UTC

CVE-2009-0238 was cut during the Bush administration. Attackers dug it back up and CISA put it on the active-exploitation list in April.

← Back to Stryker MDM wipe exposes identity perimeter Jump to analysis ↓

TechnologyAssessed

Key takeaway

Attackers are reviving ancient CVEs that still work against unpatched legacy estates, particularly in the public sector.

The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2009-0238, a seventeen-year-old Microsoft Office remote-code-execution vulnerability, to its Known Exploited Vulnerabilities (KEV) catalogue on 14 April 2026 after confirming active exploitation in the wild ¹. The bug was first patched in 2009 during the second Bush administration, before iPhones ran iOS 3. Attackers are mining old CVE databases for flaws that still work against legacy Office deployments, particularly in public-sector estates where migration lag is measured in decades rather than years.

The attack vector is macro-based. A Microsoft Office macro is a scripting command stored inside a document file; a malicious macro embedded in an Office document, delivered over email, runs attacker code on the target machine when opened. In modern Office installations the exploit is blocked by later patches and default macro restrictions. In unpatched legacy installations, still widespread in NHS trusts, council back-office systems and small public-sector departments, the chain completes often enough that the ransomware affiliates buying access have revived it.

For a Chief Information Officer in local government or a trust finance director, a CVE on the KEV catalogue is no longer a line item in the backlog. It is a federal compliance deadline in the United States and, through the Information Commissioner's Office (ICO)'s recent practice of treating NCSC guidance as enforceable data-protection baseline, a UK enforcement posture too. The public-sector legacy-Office problem has moved from technical debt to regulatory exposure.

Deep Analysis

In plain English

CVE-2009-0238 is a security flaw that was discovered in Microsoft Office back in 2009, during the George W. Bush presidency. Microsoft released a fix at the time, but many organisations never applied it. In April 2026, CISA, the US government's cybersecurity agency, confirmed that attackers are actively exploiting this 17-year-old vulnerability to break into computers, particularly in hospitals and government offices that still run old versions of Office. The attack works by sending a specially crafted Excel file. When someone opens it, the file runs hidden code that gives the attacker access to the computer. For organisations that have never updated Office, this vulnerability is still just as dangerous today as it was in 2009.

Deep Analysis

Root Causes

Healthcare and public sector organisations in the UK and US have disproportionate legacy Office estate because their procurement cycles are tied to five-to-ten-year software licensing agreements that were signed before Microsoft's 2022 macro policy change. Many NHS trusts and US county government agencies still run Office 2010 or 2013 on clinical workstations because the cost of upgrade, data migration, and clinical-software compatibility testing is not within annual IT budgets.

Legacy Office estate also persists because of embedded macros in operational workflows: financial reconciliation spreadsheets, clinical data import tools, and court document management systems were built on Excel macros in the 2010s and have never been refactored. Patching the underlying Office vulnerability would require refactoring those workflows as well as applying the update.

What could happen next?

Consequence
KEV compliance deadlines for CVE-2009-0238 will force board-level decisions at NHS trusts and US county government agencies about legacy Office replacement, converting what was a technical-debt backlog item into a regulatory compliance deadline.
Risk
The attack chain targeting this CVE is being actively developed and traded; threat actors who acquire it gain a reliable initial access mechanism against the high-value, low-patch healthcare and government sectors.

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: CVE-2012-0158, a Microsoft ActiveX control buffer overflow also over a decade old, appeared on the CISA KEV catalogue in 2022 as actively exploited in the wild by APT groups targeting government and defence.

Its resurgence followed an identical pattern: attackers mining ancient CVE databases for legacy deployments in low-IT-maturity sectors. The 2026 resurgence of CVE-2009-0238 follows the same exploitation logic, targeting the healthcare and public-sector tail of legacy Office deployments.

Counter-parallel: Microsoft's deprecation of Office VBA macros by default in Office 365 and 2021+ versions (enforced from July 2022) substantially closed the macro-execution attack chain for modern deployments. The CVE-2009-0238 reactivation is only viable in the pre-policy-change legacy population, which means its exploitation is structurally self-limiting as that population continues to migrate.

Consensus view: NIST's National Vulnerability Database characterises CVE-2009-0238 as a Microsoft Office Excel chart object handling flaw enabling arbitrary code execution via a crafted spreadsheet file.

Qualys vulnerability research notes that macro-based attack chains exploiting this CVE remain viable in approximately 30% of unpatched legacy Office deployments because the vulnerable code path was never backported to fix in Office 2007-era licensing tiers still running in public sector and healthcare.

Counter-view: Kaspersky's Global Research and Analysis Team (GReAT) published analysis in 2024 noting that the resurface of decade-old Office CVEs in targeted attacks disproportionately involves healthcare and government targets in Eastern Europe and Central Asia, where legacy Office licensing is sustained by restricted procurement budgets rather than technical inertia; the Western narrative of 'patch debt' obscures a structural economic problem.

Key tension: Whether KEV compliance deadlines for a 17-year-old CVE constitute an achievable regulatory outcome for public-sector organisations running genuinely unsupported Office versions, or whether the deadline creates a compliance fiction that masks an unresolvable legacy estate problem.

Sources:ENISA

Mentions:CISA →CVE-2009-0238 →Microsoft →United States →George W. Bush →Prima →NCSC →NIST →Known Exploited Vulnerabilities →NHS →Information Commissioner's Office →

First Reported In

Update #1 · Stryker MDM wipe exposes identity perimeter

ENISA· 17 Apr 2026

Read original →

Different Perspectives

CISA and FBI (US government)

CISA added nine KEV CVEs, confirmed Volt Typhoon in US CNI, and lost its counter-ransomware initiative under prior cuts; the FY27 budget proposes a further $707m cut and 860 jobs. An FBI official confirmed Salt Typhoon at 200+ companies across 80 countries is 'still very, very much ongoing'.

NCSC (UK)

NCSC published attribution-backed advisories naming GRU Unit 26165 for SOHO router DNS hijacking and co-issued warnings with Dutch AIVD on FSB, APT31, and IRGC messaging-app targeting, in the same month the UK Cyber Security and Resilience Bill cleared its Public Bill Committee. The ICO's £14m Capita fine now treats NCSC guidance as the enforceable GDPR technical baseline.

European Commission

The Commission published draft Cyber Resilience Act implementation guidance on 3 March with manufacturer reporting obligations beginning 11 September 2026, while running infringement proceedings against EU member states that have not transposed NIS2. Only 14 of 27 states had fully transposed by mid-2025; Germany's post-transposition registration compliance sat at roughly one-third.

Russian foreign ministry (GRU posture)

The Russian foreign ministry has issued no formal response to the NCSC advisory attributing the SOHO router DNS-hijacking campaign to GRU Unit 26165; its standard position is that Western attribution claims are politically motivated fabrications. Russia denies state sponsorship of any offensive cyber operations against NATO infrastructure.

People's Republic of China

Tsinghua University's Center for International Security and Strategy characterised US Volt Typhoon 'sabotage pre-positioning' assessments as misrepresenting standard state signals intelligence, framing the attribution narrative as a US strategic communication exercise rather than a conclusion grounded in confirmed adversary intent. Beijing formally denies state involvement in Salt Typhoon and Volt Typhoon.

Handala

Handala publicly claimed the Stryker MDM wipe as retaliation for a February 2026 Iranian school missile strike, asserting 200,000 devices wiped and 50 terabytes exfiltrated. The public framing positions the operation as proportionate non-lethal retaliation, a characterisation no Western agency has formally attributed to IRGC command-and-control.