Cyber Resilience

CVE-2009-0557

HighCISA KEVActive ExploitationEUVD Exploited

Published: 10 June 2009

Published
10 June 2009
Modified
22 April 2026
KEV Added
08 June 2022
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.8637 99.4th percentile
Risk Priority 87 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2009-0557 is a high-severity Code Injection (CWE-94) vulnerability in Microsoft Office. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 0.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-3 (Malicious Code Protection).

Deeper analysis

Microsoft Excel and related components across multiple versions of Microsoft Office, including Office 2000 SP3 through 2007 SP2, Office 2004 and 2008 for Mac, the Open XML File Format Converter for Mac, Excel Viewer 2003 SP3, Excel Viewer, and the Office Compatibility Pack SP1 and SP2, contain an object record corruption vulnerability. The flaw, tracked as CWE-94, is triggered when the application processes a specially crafted Excel file containing a malformed record object, which can lead to arbitrary code execution on the affected system.

An attacker can exploit the issue by supplying a malicious Excel document that a user opens locally, either directly or through an email attachment or web download. Successful exploitation grants the attacker the ability to execute arbitrary code with the privileges of the current user, potentially resulting in full control over confidentiality, integrity, and availability of the system.

Public advisories referenced in the CVE entry, such as the US-CERT Technical Alert TA09-160A and vendor bulletins from SecurityFocus, SecurityTracker, and VUPen, direct administrators to apply the corresponding Microsoft security updates for the listed Office products and viewers.

EU & UK References

Vulnerability details

Excel in Microsoft Office 2000 SP3, Office XP SP3, Office 2003 SP3, and Office 2004 and 2008 for Mac; Excel in 2007 Microsoft Office System SP1 and SP2; Open XML File Format Converter for Mac; Microsoft Office Excel Viewer 2003…

more

SP3; Microsoft Office Excel Viewer; and Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2 allow remote attackers to execute arbitrary code via a crafted Excel file with a malformed record object, aka "Object Record Corruption Vulnerability."

CWE(s)
KEV Date Added
08 June 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
office
2000, 2003, 2004, 2007, 2008
microsoft
office compatibility pack
2007
microsoft
office excel viewer
2003, all versions
microsoft
office sharepoint server
2007
microsoft
open xml file format converter
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying vendor security updates to remediate the object-record parsing flaw before a crafted Excel file can be exploited.

preventdetect

Malicious-code protection mechanisms can block or detect the delivery of the specially crafted Excel file via email or download.

detect

Integrity verification of software and files can identify unauthorized modification or corruption introduced by the malformed record object.

References