CVE-2009-0238
Published: 25 February 2009
Summary
CVE-2009-0238 is a high-severity Code Injection (CWE-94) vulnerability in Microsoft Excel. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 1.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
This vulnerability is AI-related — categorised as Other AI Platforms.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-3 (Malicious Code Protection).
Deeper analysis
CVE-2009-0238 affects Microsoft Office Excel 2000 SP3, 2002 SP3, 2003 SP3, and 2007 SP1, along with Excel Viewer 2003 Gold and SP3, Excel Viewer, the Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1, and Excel in Microsoft Office 2004 and 2008 for Mac. The flaw permits remote code execution when a crafted Excel document triggers an access attempt on an invalid object, corresponding to CWE-94 code injection.
An unauthenticated attacker can exploit the issue by sending a malicious spreadsheet that executes arbitrary code once opened, requiring only that the recipient view the file in an affected Excel component. The vulnerability carries a CVSS 3.1 score of 8.8 reflecting network attack vector, low complexity, and high impact on confidentiality, integrity, and availability.
Microsoft security advisory 968272 and associated patches address the issue by correcting object handling in the listed products. The vulnerability was exploited in the wild in February 2009 by Trojan.Mdropper.AC.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2009-0246
Vulnerability details
Microsoft Office Excel 2000 SP3, 2002 SP3, 2003 SP3, and 2007 SP1; Excel Viewer 2003 Gold and SP3; Excel Viewer; Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1; and Excel in Microsoft Office 2004 and 2008 for…
more
Mac allow remote attackers to execute arbitrary code via a crafted Excel document that triggers an access attempt on an invalid object, as exploited in the wild in February 2009 by Trojan.Mdropper.AC.
- CWE(s)
- KEV Date Added
- 14 April 2026
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: trojan
Related Threats
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Malicious-code protection mechanisms can block or sandbox execution of the crafted Excel document that triggers the invalid-object code injection.
Flaw remediation directly requires applying the vendor patches that correct the object-handling defect described in the CVE.
Integrity verification of software and documents can detect unauthorized modification or tampering that produces the malicious spreadsheet used in the exploit.