Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
HighCISA KEVExploited in the wildPublic exploit

Remote Code Execution in Microsoft Office Excel Malformed Object Handling

IdentifiersCVE-2009-0238CWE-94· Improper Control of Generation of…

CVE-2009-0238 is a memory corruption vulnerability in Microsoft Office Excel and related components. A remote attacker can trigger the flaw by persuading a user to open a specially crafted Excel document containing a malformed object. When the file is opened, Excel attempts to access an invalid object in memory, leading to memory corruption and enabling arbitrary code execution in the context of the logged-on user. Affected products include Microsoft Office Excel 2000 SP3, 2002 SP3, 2003 SP3, and 2007 SP1; Excel Viewer 2003 Gold and SP3; Excel Viewer; the Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1; and Excel in Microsoft Office 2004 and 2008 for Mac. Microsoft stated the issue was publicly disclosed and exploited in the wild, including by Trojan.Mdropper.AC, and addressed it in MS09-009 by changing how Excel opens Excel files.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows arbitrary code execution with the privileges of the current user. If the victim has administrative rights, an attacker may take complete control of the affected system, including installing programs, viewing, modifying, or deleting data, and creating new accounts with full user rights. Systems where users operate with lower privileges are less impacted, but code execution is still possible in that user context.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by preventing users from opening Excel files from untrusted or unknown sources. Microsoft recommended using the Microsoft Office Isolated Conversion Environment (MOICE) for opening files from untrusted sources and using Office File Block policy to block opening Office 2003 and earlier document formats from untrusted locations. Standard hardening measures also apply: restrict administrative privileges, filter or sandbox email attachments, and block delivery of unsolicited Excel documents where feasible.

Remediation

Patch, then assume compromise.

Apply Microsoft's security update from MS09-009 / KB968557 for affected Office and Excel products. Per the bulletin, the update modifies the way Microsoft Office Excel opens Excel files. For Excel 2007 SP1 environments, Microsoft also noted that KB960003 for the Office Compatibility Pack is required to be fully protected where applicable. Organizations should prioritize patching all affected Excel desktop installations, viewers, compatibility components, and supported Mac Office editions.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Microsoft CorporationExcelapplication
Microsoft CorporationExcel Viewerapplication
Microsoft CorporationOfficeapplication
Microsoft CorporationOffice Compatibility Packapplication
Microsoft CorporationOffice Excelapplication
Microsoft CorporationOffice Excel Viewerapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

21 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

21 SOURCESView more in app
security affairsNews
Apr 15, 2026
U.S. CISA adds Microsoft SharePoint Server, and Microsoft Office Excel flaws to its Known Exploited Vulnerabilities catalog

A Microsoft Office Excel remote code execution vulnerability triggered by opening a specially crafted Excel file, causing invalid memory access and memory corruption that can lead to arbitrary code execution.

Read more
register securityNews
Apr 15, 2026
Ancient Excel bug comes out of retirement for active attacks • The Register

A critical Microsoft Excel remote code execution vulnerability triggered by opening a specially crafted Excel document containing a malformed object.

Read more
register securityNews
Apr 15, 2026
Ancient Excel bug comes out of retirement for active attacks

A critical remote code execution vulnerability in Microsoft Excel that is triggered when a victim opens a specially crafted Excel document containing a malformed object.

Read more
learn microsoftNews
Jun 8, 2023
Microsoft Security Bulletin MS09-009 - Critical | Microsoft Learn

A remote code execution vulnerability in Microsoft Office Excel triggered by opening a specially crafted Excel file; this issue was publicly disclosed and was being exploited at the time of bulletin release.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware3

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity15

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2009-0238
NVD
nvd.nist.gov/vuln/detail/CVE-2009-0238
MITRE CWE · CWE-94
Improper Control of Generation of Code ('Code…
Vendor Advisory
microsoft.com/technet/security/advisory/968272.mspx
Vendor Advisory
docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-009
Third Party Advisory
exchange.xforce.ibmcloud.com/vulnerabilities/48875
Press/Media Coverage
isc.sans.org/diary.html?storyid=5923
US Government Resource
us-cert.gov/cas/techalerts/TA09-104A.html
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2009-0238