Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
14JUL

17-year-old Office RCE back on KEV

3 min read
08:46UTC

CVE-2009-0238 was cut during the Bush administration. Attackers dug it back up and CISA put it on the active-exploitation list in April.

TechnologyAssessed
Key takeaway

Attackers are reviving ancient CVEs that still work against unpatched legacy estates, particularly in the public sector.

The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2009-0238, a seventeen-year-old Microsoft Office remote-code-execution vulnerability, to its Known Exploited Vulnerabilities (KEV) catalogue on 14 April 2026 after confirming active exploitation in the wild 1. The bug was first patched in 2009 during the second Bush administration, before iPhones ran iOS 3. Attackers are mining old CVE databases for flaws that still work against legacy Office deployments, particularly in public-sector estates where migration lag is measured in decades rather than years.

The attack vector is macro-based. A Microsoft Office macro is a scripting command stored inside a document file; a malicious macro embedded in an Office document, delivered over email, runs attacker code on the target machine when opened. In modern Office installations the exploit is blocked by later patches and default macro restrictions. In unpatched legacy installations, still widespread in NHS trusts, council back-office systems and small public-sector departments, the chain completes often enough that the ransomware affiliates buying access have revived it.

For a Chief Information Officer in local government or a trust finance director, a CVE on the KEV catalogue is no longer a line item in the backlog. It is a federal compliance deadline in the United States and, through the Information Commissioner's Office (ICO)'s recent practice of treating NCSC guidance as enforceable data-protection baseline, a UK enforcement posture too. The public-sector legacy-Office problem has moved from technical debt to regulatory exposure.

Deep Analysis

In plain English

CVE-2009-0238 is a security flaw that was discovered in Microsoft Office back in 2009, during the George W. Bush presidency. Microsoft released a fix at the time, but many organisations never applied it. In April 2026, CISA, the US government's cybersecurity agency, confirmed that attackers are actively exploiting this 17-year-old vulnerability to break into computers, particularly in hospitals and government offices that still run old versions of Office. The attack works by sending a specially crafted Excel file. When someone opens it, the file runs hidden code that gives the attacker access to the computer. For organisations that have never updated Office, this vulnerability is still just as dangerous today as it was in 2009.

Deep Analysis
Root Causes

Healthcare and public sector organisations in the UK and US have disproportionate legacy Office estate because their procurement cycles are tied to five-to-ten-year software licensing agreements that were signed before Microsoft's 2022 macro policy change. Many NHS trusts and US county government agencies still run Office 2010 or 2013 on clinical workstations because the cost of upgrade, data migration, and clinical-software compatibility testing is not within annual IT budgets.

Legacy Office estate also persists because of embedded macros in operational workflows: financial reconciliation spreadsheets, clinical data import tools, and court document management systems were built on Excel macros in the 2010s and have never been refactored. Patching the underlying Office vulnerability would require refactoring those workflows as well as applying the update.

What could happen next?
  • Consequence

    KEV compliance deadlines for CVE-2009-0238 will force board-level decisions at NHS trusts and US county government agencies about legacy Office replacement, converting what was a technical-debt backlog item into a regulatory compliance deadline.

  • Risk

    The attack chain targeting this CVE is being actively developed and traded; threat actors who acquire it gain a reliable initial access mechanism against the high-value, low-patch healthcare and government sectors.

First Reported In

Update #1 · Stryker MDM wipe exposes identity perimeter

ENISA· 17 Apr 2026
Read original
Causes and effects
This Event
17-year-old Office RCE back on KEV
The legacy Office estate in healthcare and the public sector is now a regulatory deadline, not a technical-debt ticket.
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.