CISA Mandates Patch for Critical Excel Flaw

U.S. cybersecurity officials have ordered federal agencies to fix two newly listed software flaws after confirming active exploitation. The Cybersecurity and Infrastructure Security Agency (CISA) added a long-standing Microsoft Excel remote code execution vulnerability, tracked as CVE-2009-0238, to its Known Exploited Vulnerabilities (KEV) catalog. CISA said the issue is under active exploitation and directed Federal civilian executive branch (FCEB) agencies to apply patches within two weeks.

 

The Excel flaw dates back to 2009 and can be triggered when a user opens a specially crafted Excel document. CISA described the impact as remote code execution that can result in full control of an affected system. In the scenario outlined, successful exploitation could allow an attacker to install programs, view or change data, and create new user accounts with full rights.

 

CISA said the affected products span multiple Microsoft offerings, including various versions of Microsoft Office Excel, Excel Viewer, and Excel in Microsoft Office for Mac. By placing CVE-2009-0238 in the KEV catalog, CISA is signaling that the vulnerability is not only known but is being used in real-world attacks, elevating the urgency for remediation across government environments that fall under the directive.

 

Alongside the Excel entry, CISA also added a newer SharePoint Server vulnerability, CVE-2026-32201, to the KEV catalog. Officials described this SharePoint issue as a zero-day that has been addressed in recent updates. The flaw is characterized as a spoofing vulnerability caused by improper input validation, enabling attackers to spoof data.

 

CISA said exploitation of CVE-2026-32201 could lead to access to sensitive information and the alteration of disclosed data. Officials also warned that the ability to present falsified information inside trusted SharePoint environments could support phishing campaigns or other social engineering activity, by making manipulated content appear legitimate to users who rely on SharePoint for internal collaboration and document sharing.

 

The KEV catalog is used to prioritize remediation based on observed exploitation, and the two-week deadline for FCEB agencies sets a clear compliance window for the Excel vulnerability. For organizations beyond the federal scope, the listings highlight risks tied to user-driven document opening in Excel and trust-based workflows in SharePoint, where spoofed data can influence decisions and user behavior.

 

Risks and unknowns: CISA did not provide details in the announcement about the specific threat actors, the scale of exploitation, or which environments have been targeted. The agency’s directive focuses on patching timelines and the security impact described for each vulnerability, leaving the broader operational footprint of the campaigns unspecified.