---
title: "CISA Warns of Two Actively Exploited Microsoft Vulnerabilities"
short_title: "CISA adds two critical Microsoft vulnerabilities"
description: "CISA has added CVE-2009-0238 and CVE-2026-32201 to its KEV Catalog due to active exploitation. Learn mitigation steps and why timely patching is critical."
author: "Vitus"
date: 2025-01-24
categories: [Cybersecurity, Vulnerabilities]
tags: [cisa, microsoft, cve-2009-0238, cve-2026-32201, threat-intelligence]
score: 0.85
cve_ids: [CVE-2009-0238, CVE-2026-32201]
---
TL;DR
CISA has added two actively exploited Microsoft vulnerabilities—CVE-2009-0238 (Office RCE) and CVE-2026-32201 (SharePoint improper input validation)—to its Known Exploited Vulnerabilities (KEV) Catalog. Federal agencies must patch immediately, but all organizations are urged to prioritize remediation to mitigate cyberattack risks.
---
Main Content
The Cybersecurity and Infrastructure Security Agency (CISA) has elevated the urgency around two Microsoft vulnerabilities after confirming their active exploitation in the wild. These flaws, now listed in the Known Exploited Vulnerabilities (KEV) Catalog, serve as frequent attack vectors for malicious cyber actors and pose severe risks to federal and enterprise networks alike.
Key Points
- CVE-2009-0238: A remote code execution (RCE) vulnerability in Microsoft Office, allowing attackers to execute arbitrary code on vulnerable systems.
- CVE-2026-32201: An improper input validation vulnerability in Microsoft SharePoint Server, enabling unauthorized actions or data manipulation.
- Binding Operational Directive (BOD) 22-01 mandates Federal Civilian Executive Branch (FCEB) agencies to remediate these vulnerabilities by the specified due date.
- While BOD 22-01 applies only to federal agencies, CISA strongly recommends all organizations prioritize patching to reduce exposure to cyber threats.
---
Technical Details
#### CVE-2009-0238: Microsoft Office Remote Code Execution Vulnerability
This 16-year-old vulnerability resurfaced due to its exploitation in recent attacks. It affects older versions of Microsoft Office and allows attackers to execute malicious code remotely by tricking users into opening a specially crafted file. Despite its age, unpatched systems remain vulnerable, making it a low-effort, high-impact target for threat actors.
#### CVE-2026-32201: Microsoft SharePoint Server Improper Input Validation Vulnerability
This flaw affects Microsoft SharePoint Server and stems from inadequate validation of user-supplied input. Attackers can exploit this vulnerability to perform unauthorized actions, such as modifying or deleting data, or even gaining control over the affected server. Active exploitation suggests that attackers are leveraging it to compromise enterprise collaboration platforms.
---
Impact Assessment
The inclusion of these vulnerabilities in the KEV Catalog underscores their severity and the immediate risk they pose:
- Federal Agencies: BOD 22-01 requires FCEB agencies to patch these vulnerabilities within the specified timeframe to prevent breaches.
- Private Sector: Organizations that delay remediation risk falling victim to ransomware, data exfiltration, or other malicious activities.
- Supply Chain Risks: Third-party vendors or partners using unpatched systems could inadvertently expose interconnected networks to attacks.
---
Mitigation Steps
To protect against these threats, CISA and Microsoft recommend the following actions:
1. Apply Patches Immediately: Install the latest security updates for Microsoft Office and SharePoint Server.
2. Isolate Vulnerable Systems: If patching is not immediately possible, isolate affected systems from critical networks.
3. Monitor for Exploitation: Deploy intrusion detection systems (IDS) to identify signs of compromise.
4. Educate Employees: Train staff to recognize phishing attempts or malicious files that could exploit these vulnerabilities.
5. Review CISA’s KEV Catalog: Regularly check the [KEV Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) for updates on actively exploited vulnerabilities.
---
Conclusion
The addition of CVE-2009-0238 and CVE-2026-32201 to CISA’s KEV Catalog serves as a stark reminder of the persistent risks posed by unpatched vulnerabilities. While federal agencies are required to act, all organizations must prioritize timely remediation to safeguard their systems. Proactive vulnerability management is not just a best practice—it’s a critical defense against evolving cyber threats.
For more details, refer to CISA’s official advisory and Microsoft’s security updates.
---
References
[^1]: CISA. "[CISA Adds Two Known Exploited Vulnerabilities to Catalog](https://www.cisa.gov/news-events/alerts/2026/04/14/cisa-adds-two-known-exploited-vulnerabilities-catalog)". Retrieved 2025-01-24.
[^2]: Microsoft. "[CVE-2009-0238 Detail](https://www.cve.org/CVERecord?id=CVE-2009-0238)". Retrieved 2025-01-24.
[^3]: Microsoft. "[CVE-2026-32201 Detail](https://www.cve.org/CVERecord?id=CVE-2026-32201)". Retrieved 2025-01-24.
[^4]: CISA. "[Binding Operational Directive 22-01](https://www.cisa.gov/binding-operational-directive-22-01)". Retrieved 2025-01-24.