CVE-2009-0238
HIGH KEVMicrosoft Office <2007 SP1 - RCE
Title source: llmDescription
Microsoft Office Excel 2000 SP3, 2002 SP3, 2003 SP3, and 2007 SP1; Excel Viewer 2003 Gold and SP3; Excel Viewer; Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1; and Excel in Microsoft Office 2004 and 2008 for Mac allow remote attackers to execute arbitrary code via a crafted Excel document that triggers an access attempt on an invalid object, as exploited in the wild in February 2009 by Trojan.Mdropper.AC.
References (12)
Scores
CVSS v3
8.8
EPSS
0.7491
EPSS Percentile
98.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CISA KEV
2026-04-14
VulnCheck KEV
2009-02-25
InTheWild.io
2018-10-12
ENISA EUVD
EUVD-2009-0246
CWE
CWE-94
Status
published
Products (15)
microsoft/excel
2004
microsoft/excel
2000 sp3
microsoft/excel
2002 sp3
microsoft/excel
2003 sp3
microsoft/excel
2007 sp1
microsoft/excel_viewer
microsoft/office
2008 (2 CPE variants)
microsoft/office
2004
microsoft/office_compatibility_pack
2007 sp1
microsoft/office_excel
2000 sp3
... and 5 more
Published
Feb 25, 2009
KEV Added
Apr 14, 2026
Tracked Since
Feb 18, 2026