9.3

CVE-2009-0238

Warnung
Medienbericht
Microsoft Office Excel 2000 SP3, 2002 SP3, 2003 SP3, and 2007 SP1; Excel Viewer 2003 Gold and SP3; Excel Viewer; Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1; and Excel in Microsoft Office 2004 and 2008 for Mac allow remote attackers to execute arbitrary code via a crafted Excel document that triggers an access attempt on an invalid object, as exploited in the wild in February 2009 by Trojan.Mdropper.AC.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
MicrosoftExcel Version2000 Updatesp3
MicrosoftExcel Version2002 Updatesp3
MicrosoftExcel Version2003 Updatesp3
MicrosoftExcel Version2007 Updatesp1
MicrosoftOffice Version2004 SwPlatformmacos
MicrosoftOffice Version2008 SwPlatformmacos
MicrosoftOffice Compatibility Pack Version2007 Updatesp1
MicrosoftOffice Excel Viewer Version2003 Updatesp3

14.04.2026: CISA Known Exploited Vulnerabilities (KEV) Catalog

Microsoft Office Remote Code Execution

Schwachstelle

Microsoft Office Excel contains a remote code execution vulnerability that could allow an attacker to take complete control of an affected system if a user opens a specially crafted Excel file that includes a malformed object.

Beschreibung

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 43.06% 0.986
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.3 8.6 10
AV:N/AC:M/Au:N/C:C/I:C/A:C
134c704f-9b21-4f2e-91b3-4a467353bcc0 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
16.04.2026 16:09
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
15.04.2026 08:52
http://www.us-cert.gov/cas/techalerts/TA09-104A.html
US Government Resource
http://blogs.zdnet.com/security/?p=2658
Broken Link
http://isc.sans.org/diary.html?storyid=5923
Press/Media Coverage
http://securitytracker.com/id?1021744
Broken Link
http://www.microsoft.com/technet/security/advisory/968272.mspx
Vendor Advisory
http://www.securityfocus.com/bid/33870
Broken Link
http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-022310-4202-99
Broken Link
http://www.vupen.com/english/advisories/2009/1023
Broken Link
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-009
Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/48875
Third Party Advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5968
Broken Link
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2009-0238
US Government Resource