CVE-2009-0238

Warnung

Medienbericht

EPSS 74.91%
Veröffentlicht 25.02.2009 16:30:00
Zuletzt bearbeitet 22.04.2026 16:42:50
Quelle secure@microsoft.com
CVE-Watchlists
Login
Unerledigt
Login

Microsoft Office Excel 2000 SP3, 2002 SP3, 2003 SP3, and 2007 SP1; Excel Viewer 2003 Gold and SP3; Excel Viewer; Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1; and Excel in Microsoft Office 2004 and 2008 for Mac allow remote attackers to execute arbitrary code via a crafted Excel document that triggers an access attempt on an invalid object, as exploited in the wild in February 2009 by Trojan.Mdropper.AC.

Betroffene Produkte Warnungen 1 Metriken 3 CWE 1 Referenzen 17

NVD 10 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Microsoft ≫ Excel Version2000 Updatesp3

Microsoft ≫ Excel Version2002 Updatesp3

Microsoft ≫ Excel Version2003 Updatesp3

Microsoft ≫ Excel Version2007 Updatesp1

Microsoft ≫ Excel Viewer

Microsoft ≫ Office Version2004 SwPlatformmacos

Microsoft ≫ Office Version2008 SwPlatformmacos

Microsoft ≫ Office Compatibility Pack Version2007 Updatesp1

Microsoft ≫ Office Excel Viewer

Microsoft ≫ Office Excel Viewer Version2003 Updatesp3

14.04.2026: CISA Known Exploited Vulnerabilities (KEV) Catalog

Microsoft Office Remote Code Execution

Schwachstelle

Microsoft Office Excel contains a remote code execution vulnerability that could allow an attacker to take complete control of an affected system if a user opens a specially crafted Excel file that includes a malformed object.

Beschreibung

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	74.91%	0.989

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.3	8.6	10	AV:N/AC:M/Au:N/C:C/I:C/A:C
134c704f-9b21-4f2e-91b3-4a467353bcc0	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://thehackernews.com/2026/04/threatsday-bulletin-17-year-old-excel.html

Media Report

https://www.heise.de/news/Warnung-vor-Attacken-auf-17-Jahre-alte-Excel-Luecke-11257838.html

Media Report

http://www.us-cert.gov/cas/techalerts/TA09-104A.html

US Government Resource

http://blogs.zdnet.com/security/?p=2658

Broken Link

http://isc.sans.org/diary.html?storyid=5923

Press/Media Coverage

http://securitytracker.com/id?1021744

Broken Link