Cyber Resilience

CVE-2009-0238

HighCISA KEVActive ExploitationEUVD ExploitedRCE

Published: 25 February 2009

Published
25 February 2009
Modified
22 April 2026
KEV Added
14 April 2026
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.7475 98.9th percentile
Risk Priority 82 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2009-0238 is a high-severity Code Injection (CWE-94) vulnerability in Microsoft Excel. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 1.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

This vulnerability is AI-related — categorised as Other AI Platforms.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-3 (Malicious Code Protection).

Deeper analysis

CVE-2009-0238 affects Microsoft Office Excel 2000 SP3, 2002 SP3, 2003 SP3, and 2007 SP1, along with Excel Viewer 2003 Gold and SP3, Excel Viewer, the Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1, and Excel in Microsoft Office 2004 and 2008 for Mac. The flaw permits remote code execution when a crafted Excel document triggers an access attempt on an invalid object, corresponding to CWE-94 code injection.

An unauthenticated attacker can exploit the issue by sending a malicious spreadsheet that executes arbitrary code once opened, requiring only that the recipient view the file in an affected Excel component. The vulnerability carries a CVSS 3.1 score of 8.8 reflecting network attack vector, low complexity, and high impact on confidentiality, integrity, and availability.

Microsoft security advisory 968272 and associated patches address the issue by correcting object handling in the listed products. The vulnerability was exploited in the wild in February 2009 by Trojan.Mdropper.AC.

EU & UK References

Vulnerability details

Microsoft Office Excel 2000 SP3, 2002 SP3, 2003 SP3, and 2007 SP1; Excel Viewer 2003 Gold and SP3; Excel Viewer; Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1; and Excel in Microsoft Office 2004 and 2008 for…

more

Mac allow remote attackers to execute arbitrary code via a crafted Excel document that triggers an access attempt on an invalid object, as exploited in the wild in February 2009 by Trojan.Mdropper.AC.

CWE(s)
KEV Date Added
14 April 2026

AI Security AnalysisAI

AI Category
Other AI Platforms
Risk Domain
N/A
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: trojan

Related Threats

Affected Assets

microsoft
excel
2000, 2002, 2003, 2007
microsoft
excel viewer
all versions
microsoft
office
2004, 2008
microsoft
office compatibility pack
2007
microsoft
office excel viewer
2003, all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Malicious-code protection mechanisms can block or sandbox execution of the crafted Excel document that triggers the invalid-object code injection.

prevent

Flaw remediation directly requires applying the vendor patches that correct the object-handling defect described in the CVE.

detect

Integrity verification of software and documents can detect unauthorized modification or tampering that produces the malicious spreadsheet used in the exploit.

References