CVE-2009-0238: Microsoft Excel Remote Code Execution Vulnerability
Summary
CISA added CVE-2009-0238 to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability affects Microsoft Office Excel versions 2000 SP3 through 2007 SP1, Excel Viewer 2003, Compatibility Pack for Office 2007 formats, and Excel for Mac 2004 and 2008. The vulnerability allows remote code execution via crafted Excel documents and was actively exploited in February 2009 by Trojan.Mdropper.AC. CISA's SSVC assessment rates exploitation as active with total technical impact.
What changed
CISA added CVE-2009-0238 to its Known Exploited Vulnerabilities catalog. This CVE, originally from Microsoft Corporation, describes a remote code execution vulnerability in Microsoft Office Excel versions 2000 SP3 through 2007 SP1, Excel Viewer, Compatibility Pack, and Excel for Mac. The vulnerability allows remote attackers to execute arbitrary code through crafted Excel documents that trigger an access attempt on an invalid object. It was exploited in the wild in February 2009 by Trojan.Mdropper.AC. CISA's SSVC evaluation indicates active exploitation with total technical impact.
Federal agencies and critical infrastructure operators should prioritize remediation of this vulnerability. The KEV catalog entry signals CISA's determination that this vulnerability poses significant risk due to active exploitation. Organizations running any affected Microsoft Office Excel versions should apply the MS09-009 security update immediately to prevent potential remote code execution attacks.
What to do next
- Apply Microsoft security update MS09-009 immediately
- Review Microsoft security advisory 968272 for mitigation guidance
- Prioritize patching affected Microsoft Office Excel installations
Archived snapshot
Apr 15, 2026GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.
Required CVE Record Information
CNA: Microsoft Corporation
Updated:
2018-10-12
Description
Microsoft Office Excel 2000 SP3, 2002 SP3, 2003 SP3, and 2007 SP1; Excel Viewer 2003 Gold and SP3; Excel Viewer; Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1; and Excel in Microsoft Office 2004 and 2008 for Mac allow remote attackers to execute arbitrary code via a crafted Excel document that triggers an access attempt on an invalid object, as exploited in the wild in February 2009 by Trojan.Mdropper.AC.
Product Status
Learn more Information not provided
References 11 Total
- http://www.microsoft.com/technet/security/advisory/968272.mspx
- vupen.com: ADV-2009-1023 vdb-entry
- exchange.xforce.ibmcloud.com: ms-excel-unspecified-code-execution(48875) vdb-entry
- us-cert.gov: TA09-104A third-party-advisory
- securityfocus.com: 33870 vdb-entry
- http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-022310-4202-99
- docs.microsoft.com: MS09-009 vendor-advisory
- oval.cisecurity.org: oval:org.mitre.oval:def:5968 vdb-entry signature
- http://isc.sans.org/diary.html?storyid=5923
- securitytracker.com: 1021744 vdb-entry
- http://blogs.zdnet.com/security/?p=2658
CVE Program
References 11 Total
- http://www.microsoft.com/technet/security/advisory/968272.mspx x_transferred
- vupen.com: ADV-2009-1023 vdb-entry x_transferred
- exchange.xforce.ibmcloud.com: ms-excel-unspecified-code-execution(48875) vdb-entry x_transferred
- us-cert.gov: TA09-104A third-party-advisory x_transferred
- securityfocus.com: 33870 vdb-entry x_transferred
- http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-022310-4202-99 x_transferred
- docs.microsoft.com: MS09-009 vendor-advisory x_transferred
- oval.cisecurity.org: oval:org.mitre.oval:def:5968 vdb-entry signature x_transferred
- http://isc.sans.org/diary.html?storyid=5923 x_transferred
- securitytracker.com: 1021744 vdb-entry x_transferred
- http://blogs.zdnet.com/security/?p=2658 x_transferred
Authorized Data Publishers
CISA-ADP
SSVC and KEV, plus CVSS and CWE if not provided by the CNA.
SSVC 1 Total
Learn more
| Exploitation | Automatable | Technical Impact | Version | Date Accessed |
| --- | --- | --- | --- | --- |
| active | no | total | 2.0.3 | 2026-04-14 |
KEV 1 Total
Learn more
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2009-0238 (2026-04-14)
CWE 1 Total
Learn more
- CWE-94: CWE-94 Improper Control of Generation of Code ('Code Injection')
CVSS 1 Total
Learn more
| Score | Severity | Version | Vector String |
| --- | --- | --- | --- |
| 8.8 | HIGH | 3.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Related changes
Get daily alerts for CISA Known Exploited Vulnerabilities (KEV)
Daily digest delivered to your inbox.
Free. Unsubscribe anytime.
Source
About this page
Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission
Source document text, dates, docket IDs, and authority are extracted directly from CISA.
The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.
Classification
Who this affects
Taxonomy
Browse Categories
Get alerts for this source
We'll email you when CISA Known Exploited Vulnerabilities (KEV) publishes new changes.
Subscribed!
Optional. Filters your digest to exactly the updates that matter to you.