Changeflow GovPing Data Privacy & Cybersecurity CISA Adds CVE-2009-0238 and CVE-2026-32201 to K...
Priority review Notice Amended Final

CISA Adds CVE-2009-0238 and CVE-2026-32201 to Known Exploited Vulnerabilities Catalog

Favicon for www.cisa.gov CISA Cybersecurity Advisories
Published
Detected
Email

Summary

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. CVE-2009-0238 is a Microsoft Office Remote Code Execution vulnerability and CVE-2026-32201 is a Microsoft SharePoint Server Improper Input Validation vulnerability. These vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Federal Civilian Executive Branch (FCEB) agencies are required to remediate these vulnerabilities pursuant to Binding Operational Directive 22-01.

View original document View source feed page

What changed

CISA has added two Microsoft vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. The additions include CVE-2009-0238 affecting Microsoft Office and CVE-2026-32201 affecting Microsoft SharePoint Server. Both vulnerabilities have been identified as frequent attack vectors for malicious cyber actors.

Federal Civilian Executive Branch agencies must remediate these vulnerabilities by the due dates specified in Binding Operational Directive 22-01. While BOD 22-01 technically applies only to FCEB agencies, CISA strongly urges all organizations to prioritize timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. Organizations should review their systems for these specific CVEs and implement patches or mitigations accordingly.

What to do next

  1. Review the KEV Catalog for CVE-2009-0238 and CVE-2026-32201
  2. Prioritize remediation of these vulnerabilities as part of vulnerability management
  3. FCEB agencies must remediate by the due dates established in BOD 22-01

Archived snapshot

Apr 15, 2026

GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.

Alert

CISA Adds Two Known Exploited Vulnerabilities to Catalog

Release Date

April 14, 2026

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

  • CVE-2009-0238 Microsoft Office Remote Code Execution Vulnerability
  • CVE-2026-32201 Microsoft SharePoint Server Improper Input Validation Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

This product is provided subject to this Notification and this Privacy & Use policy.

Please share your thoughts

We recently updated our anonymous product survey; we welcome your feedback.

Named provisions

Known Exploited Vulnerabilities Catalog Binding Operational Directive 22-01

Related changes

Favicon for www.cisa.gov CVE-2023-21529: Microsoft Exchange Server RCE Vulnerability Added to Known Exploited Vulnerabilities Catalog
Priority review Apr 14, 2026 CISA Known Exploited Vulnerabilities (KEV) Data Privacy & Cybersecurity
Favicon for www.cisa.gov CVE-2009-0238: Microsoft Excel Remote Code Execution Vulnerability
Priority review Apr 15, 2026 CISA Known Exploited Vulnerabilities (KEV) Data Privacy & Cybersecurity
Favicon for www.cisa.gov CISA Adds Seven Known Exploited Vulnerabilities to Catalog
Priority review Apr 13, 2026 CISA ICS-CERT Advisories Data Privacy & Cybersecurity

Get daily alerts for CISA Cybersecurity Advisories

Daily digest delivered to your inbox.

Free. Unsubscribe anytime.

Source

Favicon for www.cisa.gov
CISA Cybersecurity Advisories cisa.gov/cybersecurity-advisories/all.xml
Data Privacy & Cybersecurity

About this page

What is GovPing?

Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission

What's from the agency?

Source document text, dates, docket IDs, and authority are extracted directly from CISA.

What's AI-generated?

The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.

Last updated

Press inquiries →

Classification

Agency
CISA
Published
April 14th, 2026
Instrument
Notice
Legal weight
Binding
Stage
Final
Change scope
Substantive
Document ID
BOD 22-01

Who this affects

Applies to
Government agencies Federal contractors Technology companies
Industry sector
5112 Software & Technology
Activity scope
Vulnerability remediation Cybersecurity compliance Patch management
Geographic scope
United States US

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Compliance frameworks
NIST CSF
Topics
Data Privacy Software & Technology

Browse Categories

Agriculture & Food Safety 64 AI Regulation 3 Banking & Finance 291 Consumer Protection 44 Courts & Legal 361 Data Privacy & Cybersecurity 73 Defense & National Security 51 Education 19 Energy 100 Environment 86 Environmental Regulation 7 Financial Regulation 2 Government & Legislation 279 Healthcare 136 Housing 16 Immigration 8 Insurance 58 Labor & Employment 113 Pharma & Drug Safety 104 Public Health 2 Securities & Markets 103 Securities Regulation 6 Tax 65 Telecom & Technology 47 Trade & Sanctions 135 Transportation 57

Get alerts for this source

We'll email you when CISA Cybersecurity Advisories publishes new changes.

Free. Unsubscribe anytime.

You're subscribed!