17APR

17-year-old Office RCE back on KEV

3 min read

13:56UTC

CVE-2009-0238 was cut during the Bush administration. Attackers dug it back up and CISA put it on the active-exploitation list in April.

← Back to Stryker MDM wipe exposes identity perimeter Jump to analysis ↓

TechnologyAssessed

Key takeaway

Attackers are reviving ancient CVEs that still work against unpatched legacy estates, particularly in the public sector.

The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2009-0238, a seventeen-year-old Microsoft Office remote-code-execution vulnerability, to its Known Exploited Vulnerabilities (KEV) catalogue on 14 April 2026 after confirming active exploitation in the wild ¹. The bug was first patched in 2009 during the second Bush administration, before iPhones ran iOS 3. Attackers are mining old CVE databases for flaws that still work against legacy Office deployments, particularly in public-sector estates where migration lag is measured in decades rather than years.

The attack vector is macro-based. A Microsoft Office macro is a scripting command stored inside a document file; a malicious macro embedded in an Office document, delivered over email, runs attacker code on the target machine when opened. In modern Office installations the exploit is blocked by later patches and default macro restrictions. In unpatched legacy installations, still widespread in NHS trusts, council back-office systems and small public-sector departments, the chain completes often enough that the ransomware affiliates buying access have revived it.

For a Chief Information Officer in local government or a trust finance director, a CVE on the KEV catalogue is no longer a line item in the backlog. It is a federal compliance deadline in the United States and, through the Information Commissioner's Office (ICO)'s recent practice of treating NCSC guidance as enforceable data-protection baseline, a UK enforcement posture too. The public-sector legacy-Office problem has moved from technical debt to regulatory exposure.

Deep Analysis

In plain English

CVE-2009-0238 is a security flaw that was discovered in Microsoft Office back in 2009, during the George W. Bush presidency. Microsoft released a fix at the time, but many organisations never applied it. In April 2026, CISA, the US government's cybersecurity agency, confirmed that attackers are actively exploiting this 17-year-old vulnerability to break into computers, particularly in hospitals and government offices that still run old versions of Office. The attack works by sending a specially crafted Excel file. When someone opens it, the file runs hidden code that gives the attacker access to the computer. For organisations that have never updated Office, this vulnerability is still just as dangerous today as it was in 2009.

Deep Analysis

Root Causes

Healthcare and public sector organisations in the UK and US have disproportionate legacy Office estate because their procurement cycles are tied to five-to-ten-year software licensing agreements that were signed before Microsoft's 2022 macro policy change. Many NHS trusts and US county government agencies still run Office 2010 or 2013 on clinical workstations because the cost of upgrade, data migration, and clinical-software compatibility testing is not within annual IT budgets.

Legacy Office estate also persists because of embedded macros in operational workflows: financial reconciliation spreadsheets, clinical data import tools, and court document management systems were built on Excel macros in the 2010s and have never been refactored. Patching the underlying Office vulnerability would require refactoring those workflows as well as applying the update.

What could happen next?

Consequence
KEV compliance deadlines for CVE-2009-0238 will force board-level decisions at NHS trusts and US county government agencies about legacy Office replacement, converting what was a technical-debt backlog item into a regulatory compliance deadline.
Risk
The attack chain targeting this CVE is being actively developed and traded; threat actors who acquire it gain a reliable initial access mechanism against the high-value, low-patch healthcare and government sectors.

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: CVE-2012-0158, a Microsoft ActiveX control buffer overflow also over a decade old, appeared on the CISA KEV catalogue in 2022 as actively exploited in the wild by APT groups targeting government and defence.

Its resurgence followed an identical pattern: attackers mining ancient CVE databases for legacy deployments in low-IT-maturity sectors. The 2026 resurgence of CVE-2009-0238 follows the same exploitation logic, targeting the healthcare and public-sector tail of legacy Office deployments.

Counter-parallel: Microsoft's deprecation of Office VBA macros by default in Office 365 and 2021+ versions (enforced from July 2022) substantially closed the macro-execution attack chain for modern deployments. The CVE-2009-0238 reactivation is only viable in the pre-policy-change legacy population, which means its exploitation is structurally self-limiting as that population continues to migrate.

Consensus view: NIST's National Vulnerability Database characterises CVE-2009-0238 as a Microsoft Office Excel chart object handling flaw enabling arbitrary code execution via a crafted spreadsheet file.

Qualys vulnerability research notes that macro-based attack chains exploiting this CVE remain viable in approximately 30% of unpatched legacy Office deployments because the vulnerable code path was never backported to fix in Office 2007-era licensing tiers still running in public sector and healthcare.

Counter-view: Kaspersky's Global Research and Analysis Team (GReAT) published analysis in 2024 noting that the resurface of decade-old Office CVEs in targeted attacks disproportionately involves healthcare and government targets in Eastern Europe and Central Asia, where legacy Office licensing is sustained by restricted procurement budgets rather than technical inertia; the Western narrative of 'patch debt' obscures a structural economic problem.

Key tension: Whether KEV compliance deadlines for a 17-year-old CVE constitute an achievable regulatory outcome for public-sector organisations running genuinely unsupported Office versions, or whether the deadline creates a compliance fiction that masks an unresolvable legacy estate problem.

Sources:ENISA

Mentions:CISA →CVE-2009-0238 →Microsoft →United States →George W. Bush →Prima →NCSC →NIST →Known Exploited Vulnerabilities →NHS →Information Commissioner's Office →

First Reported In

Update #1 · Stryker MDM wipe exposes identity perimeter

ENISA· 17 Apr 2026

Read original →

Different Perspectives

Google Threat Intelligence Group

GTIG's attribution of the GitHub breach extends UNC6780's documented arc from SAP npm through Cisco AI Defense to GitHub's own estate; its 36-hour LiteLLM exploitation set the speed benchmark CISA AA26-148A is designed to address. GTIG's published tracking gives defenders the actor profile needed to assess their own developer-toolchain exposure.

Enterprise security buyers / CISO community

For enterprise security leaders, two KEV AI-orchestration entries in three weeks (LiteLLM 8 May, Langflow 21 May) convert shadow AI tooling from a governance risk to a confirmed attack surface requiring immediate software asset inventory. The 65 per cent gap in enterprise AI tool inventories documented by Wiz Research is now a liability rather than a compliance footnote.

DSIT / UK Government

DSIT framed the £14.7 billion sector figure and the Cyber Resilience Pledge as a paired signal: commercial strength alongside supply-chain accountability, with £90 million targeting the NHS supplier exposure this briefing's threat events directly illustrate. The voluntary Pledge's enforceability gap, prior to the Cyber Security and Resilience Bill reaching Royal Assent, is the question its launch does not answer.

GitHub / Microsoft

GitHub confirmed that no customer repositories or user data were affected by the Nx Console breach, but acknowledged approximately 3,800 internal repositories were cloned and referred to CISA Alert AA26-148A's allow-listing guidance. The incident puts Microsoft in the position of operating a marketplace whose publisher-verification gap is now a documented attack vector in a federal advisory.

Tsinghua University Institute for International Strategic Studies

Beijing-aligned commentary rejects US attribution of PRC-nexus clusters (UNC2814, APT45, UAT-8616) as politically motivated framing, characterising the April sixteen-agency joint advisory as coordinated Western pressure rather than independent technical assessment.

Cisco

Cisco has not confirmed the UNC6780 breach scope beyond the named AI Defense and AI Assistant projects; GitHub confirmed an investigation. CVE-2026-20182 is the sixth Cisco SD-WAN KEV entry in 2026, reaching that milestone the same week UNC6780's source-code visibility into the portfolio became public.