CVE-2009-0238

Published Feb 25, 2009

Last updated a month ago

Exploit known CVSS high 8.8

Overview

Description: Microsoft Office Excel 2000 SP3, 2002 SP3, 2003 SP3, and 2007 SP1; Excel Viewer 2003 Gold and SP3; Excel Viewer; Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1; and Excel in Microsoft Office 2004 and 2008 for Mac allow remote attackers to execute arbitrary code via a crafted Excel document that triggers an access attempt on an invalid object, as exploited in the wild in February 2009 by Trojan.Mdropper.AC.
Source: secure@microsoft.com
NVD status: Analyzed
Products: excel, excel_viewer, office, office_compatibility_pack, office_excel_viewer

Risk scores

CVSS 3.1

Type: Secondary
Base score: 8.8
Impact score: 5.9
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Severity: HIGH

CVSS 2.0

Type: Primary
Base score: 9.3
Impact score: 10
Exploitability score: 8.6
Vector string: AV:N/AC:M/Au:N/C:C/I:C/A:C

Known exploits

Data from CISA

Vulnerability name: Microsoft Office Remote Code Execution
Exploit added on: Apr 14, 2026
Exploit action due: Apr 28, 2026
Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weaknesses

nvd@nist.gov: CWE-94
134c704f-9b21-4f2e-91b3-4a467353bcc0: CWE-94

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:microsoft:excel:2000:sp3:*:*:*:*:*:*",
            "matchCriteriaId": "439B26BA-376C-4D6B-B7BA-B66B8BDA8E37",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:microsoft:excel:2002:sp3:*:*:*:*:*:*",
            "matchCriteriaId": "896E23B1-AB34-43FF-96F3-BA6ED7F162AF",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:microsoft:excel:2003:sp3:*:*:*:*:*:*",
            "matchCriteriaId": "CEBB33CD-CACF-4EB8-8B5F-8E1CB8D7A440",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:microsoft:excel:2007:sp1:*:*:*:*:*:*",
            "matchCriteriaId": "F703901F-AD7C-42E7-BBFA-529A8C510D83",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:microsoft:excel_viewer:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "971EC323-267F-4DAF-BA3B-10A47A9F1ADA",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:microsoft:office:2004:*:*:*:*:macos:*:*",
            "matchCriteriaId": "0B191155-67F2-4C6E-BD0C-AF5AF6F04BA1",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:microsoft:office:2008:*:*:*:*:macos:*:*",
            "matchCriteriaId": "421ACF1B-1B21-4416-98ED-BAA5C210EAE5",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:microsoft:office_compatibility_pack:2007:sp1:*:*:*:*:*:*",
            "matchCriteriaId": "C5C94F2C-786B-45E4-B80A-FC668D917014",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:microsoft:office_excel_viewer:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "4A2613CE-C469-43AE-A590-87CE1FAADA8B",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:microsoft:office_excel_viewer:2003:sp3:*:*:*:*:*:*",
            "matchCriteriaId": "B18C291F-57C2-4328-8FCF-3C1A27B0D18D",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.

Overview

Risk scores

CVSS 3.1

CVSS 2.0

Known exploits

Weaknesses

Social media

Configurations

Related CVEs

References