CVE-2009-3129

HIGH KEV

Microsoft Excel 2002 SP3-2007 SP2 - Remote Code Execution via FEATHEADER Record

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2009-3129 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 3, 2022. EIP tracks 3 public exploits from researchers including Metasploit, anonymous, Sean Larsson, jduck, including a Metasploit module exploits/windows/fileformat/ms09_067_excel_featheader.

AI-analyzed exploit summary This Metasploit module exploits CVE-2009-3129 by crafting a malicious Excel file with a malformed FEATHEADER record, leading to arbitrary code execution via pointer manipulation in Microsoft Office Excel.

Description

Microsoft Office Excel 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; Office 2004 and 2008 for Mac; Open XML File Format Converter for Mac; Office Excel Viewer 2003 SP3; Office Excel Viewer SP1 and SP2; and Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2 allows remote attackers to execute arbitrary code via a spreadsheet with a FEATHEADER record containing an invalid cbHdrData size element that affects a pointer offset, aka "Excel Featheader Record Memory Corruption Vulnerability."

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalwindows
https://www.exploit-db.com/exploits/16625

This Metasploit module exploits CVE-2009-3129 by crafting a malicious Excel file with a malformed FEATHEADER record, leading to arbitrary code execution via pointer manipulation in Microsoft Office Excel.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Office Excel (2002, 2003, 2007)
No auth needed
Prerequisites: Victim must open the malicious Excel file
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC
by anonymous · pythonlocalwindows
https://www.exploit-db.com/exploits/14706

This exploit leverages a malformed FEATHEADER record in Microsoft Excel files to trigger a memory corruption vulnerability (CVE-2009-3129), allowing arbitrary code execution via embedded shellcode. The PoC generates a crafted Excel file with a compressed payload containing the exploit.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Office Excel 2003/2007
No auth needed
Prerequisites: Victim opens the malicious Excel file
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC GOOD
by Sean Larsson, jduck · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/ms09_067_excel_featheader.rb

This Metasploit module exploits a vulnerability in Microsoft Excel's handling of the FEATHEADER record (CVE-2009-3129) by manipulating a pointer offset to achieve arbitrary code execution. It generates a malicious .xls file that triggers the vulnerability when opened.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Excel (Office 2002, 2003, 2007)
No auth needed
Prerequisites: Victim must open the malicious Excel file
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (11)

Core 11
Core References
Broken Link vdb-entry x_refsource_osvdb
http://osvdb.org/59860
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1023157
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/36945
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA09-314A.html
Broken Link third-party-advisory x_refsource_idefense
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=832
Patch, Vendor Advisory vendor-advisory x_refsource_ms
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-067
Broken Link mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2009-11/0080.html
Third Party Advisory, VDB Entry x_refsource_misc
http://www.zerodayinitiative.com/advisories/ZDI-09-083
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/14706

Scores

CVSS v3 7.8
EPSS 0.9244
EPSS Percentile 99.7%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-03-03
VulnCheck KEV 2012-01-01
InTheWild.io 2022-03-03
ENISA EUVD EUVD-2009-3112
CWE
CWE-787
Status published
Products (8)
microsoft/excel 2002 sp3
microsoft/excel 2003 sp3
microsoft/excel 2007 sp1 (2 CPE variants)
microsoft/excel_viewer (2 CPE variants)
microsoft/excel_viewer 2003 sp3
microsoft/office 2004
microsoft/office 2008
microsoft/open_xml_file_format_converter
Published Nov 11, 2009
KEV Added Mar 03, 2022
Tracked Since Feb 18, 2026