Cyber Resilience

CVE-2009-0556

HighCISA KEVActive ExploitationEUVD ExploitedRCE

Published: 03 April 2009

Published
03 April 2009
Modified
22 April 2026
KEV Added
07 January 2026
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.5905 98.3th percentile
Risk Priority 73 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2009-0556 is a high-severity Code Injection (CWE-94) vulnerability in Microsoft Powerpoint. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 1.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3, as well as PowerPoint in Microsoft Office 2004 for Mac, are affected by a memory corruption vulnerability. The flaw occurs when processing a PowerPoint file containing an OutlineTextRefAtom with an invalid index value, which can be triggered during file handling and is tracked under CWE-94.

Remote attackers can exploit the issue by supplying a malicious PowerPoint document, for example via email or web download. Successful attacks result in arbitrary code execution on the target system with the privileges of the logged-in user, and the vulnerability carried a CVSS score of 8.8 reflecting network attack vector and high impact on confidentiality, integrity, and availability.

Microsoft security advisories published in April 2009 describe active in-the-wild exploitation of the zero-day issue by Exploit:Win32/Apptom.gen and outline steps for detection along with recommended protective measures for affected installations.

EU & UK References

Vulnerability details

Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3, and PowerPoint in Microsoft Office 2004 for Mac, allows remote attackers to execute arbitrary code via a PowerPoint file with an OutlineTextRefAtom containing an an invalid index value that triggers…

more

memory corruption, as exploited in the wild in April 2009 by Exploit:Win32/Apptom.gen, aka "Memory Corruption Vulnerability."

CWE(s)
KEV Date Added
07 January 2026

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
office powerpoint
2004
microsoft
powerpoint
2000, 2002, 2003

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventdetect

Malicious-code protection mechanisms directly block or detect the specially crafted PowerPoint file containing the OutlineTextRefAtom exploit before it is processed.

prevent

Memory-protection techniques (DEP, ASLR, etc.) directly mitigate the memory-corruption primitive that enables arbitrary code execution from the invalid index value.

prevent

Flaw remediation requires prompt installation of the vendor patch that eliminates the OutlineTextRefAtom parsing vulnerability exploited in the wild.

References