A Microsoft Excel security vulnerability found 18 years ago has been confirmed as still being used in real-world attacks. It is a warning that environments running unsupported legacy software are becoming major targets for cyberattacks.

TechRadar reported on April 16 that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the Excel flaw CVE-2009-0238 to its Known Exploited Vulnerabilities (KEV) catalogue.

The vulnerability, first reported in 2009, allows arbitrary code execution through a maliciously crafted Excel file. The National Vulnerability Database (NVD) says attackers can design a document to trigger invalid object access, and opening the file can immediately expose a system to attack.

The risk level is also high. The vulnerability was rated 8.8 out of 10 under the CVSS standard. Past reports said it was used to distribute the Trojan.Mdropper.AC malware.

Most affected products are older versions that are no longer supported. They include Excel 2000 SP3, 2002 SP3, 2003 SP3 and 2007 SP1, as well as Excel Viewer 2003, Office 2007 Compatibility Pack SP1 and Excel for Office 2004 and 2008 for Mac. A patch has already been released, but some organisations still use older versions and appear to remain exposed to attacks.

CISA added the vulnerability to the catalogue and required Federal Civilian Executive Branch (FCEB) agencies to complete mitigation measures by April 28. It judged immediate action was needed because active exploitation has been confirmed.

The attacker and specific purpose have not been disclosed, but the security industry has raised the possibility that phishing emails with malicious Excel file attachments were used as a main attack route. A direct link to ransomware has not been confirmed.

Newer versions of Excel are believed to be outside the scope of the vulnerability. Excel 2007 SP2 and later, and Excel 2010, 2013, 2016, 2019, 2021 and all versions of Excel for Microsoft 365 are classified as safe.

The case shows that even older vulnerabilities with existing patches can be repurposed for real attacks if left unaddressed. In particular, organisations that keep unsupported software could face remote code execution through a single document file, prompting calls for urgent system checks and updates.