CISA Flags Actively Exploited Microsoft Office and SharePoint Vulnerabilities (CVE-2009-0238, CVE-2026-32201)

CISA has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, confirming active exploitation in the wild. The inclusion of both a legacy Microsoft Office flaw and a newer SharePoint vulnerability highlights continued attacker focus on widely deployed enterprise platforms, particularly those exposed to phishing workflows and internet-facing services.

Organizations should treat both vulnerabilities as high priority due to confirmed exploitation and their potential for initial access and remote code execution.

Threat Overview

CVE-2009-0238: Microsoft Office Remote Code Execution

Despite its age, this vulnerability remains effective due to its use in phishing campaigns. Attackers typically weaponize malicious Office documents to trigger remote code execution when opened by the victim. These attacks are often paired with social engineering to bypass user suspicion.

CVE-2026-32201: Microsoft SharePoint Server Improper Input Validation

This vulnerability affects SharePoint Server and enables exploitation through improper input validation. Given SharePoint’s role in enterprise collaboration and its frequent exposure to the internet, it presents a high-value target for attackers seeking initial access or lateral movement within corporate environments.

Impact Assessment

These vulnerabilities represent two distinct but complementary attack paths:

• User-level compromise via phishing (Office)
• Server-level compromise via exposed services (SharePoint)

Organizations with:

• Legacy Office deployments
• Internet-exposed SharePoint instances
• Weak patching or vulnerability management processes

are at elevated risk of compromise.

The continued exploitation of a 2009-era vulnerability underscores a key reality:

Attackers do not rely on new vulnerabilities alone. They exploit what remains unpatched.

Recommended Actions

Organizations should take immediate steps to reduce exposure:

1. Patch immediately

• Apply all relevant Microsoft security updates for Office and SharePoint
• Prioritize assets exposed to the internet

2. Audit SharePoint exposure

• Identify all internet-facing SharePoint servers
• Restrict access where possible (VPN, IP allowlists, Zero Trust controls)

3. Harden email security

• Block or sandbox suspicious Office attachments
• Disable macros and enforce protected view policies

4. Enable endpoint and identity monitoring

• Ensure you have full visibility into credential access attempts, unusual login patterns following document interaction, and privilege escalation events

Stay Safe. Stay Secure

OP Innovate Research Team