The Cybersecurity and Infrastructure Security Agency has added two Microsoft vulnerabilities to its Known Exploited Vulnerabilities Catalog, including a 17-year-old Office flaw that attackers continue to weaponize. CVE-2009-0238, first patched in 2009, and CVE-2026-32201, affecting SharePoint Server, now carry mandatory remediation deadlines for federal agencies and serve as critical warnings for all organizations.

CISA's April 14, 2026 update demonstrates that vulnerability age provides no protection when attackers find reliable entry points into widely deployed software. The agency assigned a remediation deadline of May 5, 2026 for both vulnerabilities, requiring federal civilian executive branch agencies to apply patches or implement mitigation measures.

The 17-Year-Old Vulnerability That Won't Die

CVE-2009-0238 affects Microsoft Office PowerPoint 2000 through 2007 and Office 2004 for Mac. This memory corruption vulnerability in PowerPoint's handling of specially crafted files allows remote code execution when a user opens a malicious presentation. Microsoft originally addressed this flaw with security bulletin MS09-017 in May 2009, yet attackers continue to exploit it nearly two decades later.

The persistence of this vulnerability highlights several critical security realities. Legacy Office installations remain operational in many organizations despite being well beyond their support lifecycle. Attackers maintain exploit toolkits for vulnerabilities that provide reliable access to target environments. The widespread deployment of Office software creates a massive attack surface that extends across decades of versions.

SharePoint Server Vulnerability: CVE-2026-32201

CVE-2026-32201 affects Microsoft SharePoint Server with unspecified versions vulnerable. While technical details remain limited in the initial advisory, SharePoint vulnerabilities typically involve privilege escalation, remote code execution, or information disclosure. Given CISA's classification and remediation requirements, this represents an actively exploited vulnerability requiring immediate attention.

SharePoint Server deployments often contain sensitive organizational data, making them high-value targets for attackers. The platform's integration with Active Directory and other enterprise systems can provide attackers with lateral movement opportunities once initial access is achieved.

CISA's Known Exploited Vulnerabilities Catalog: What It Means

CISA's KEV Catalog serves as a prioritized list of vulnerabilities with confirmed active exploitation. While binding requirements apply specifically to federal agencies, the catalog provides essential guidance for all organizations. Inclusion in the KEV Catalog indicates that:

  • Attackers are actively weaponizing these vulnerabilities in real-world attacks
  • Reliable exploit code exists and circulates in criminal ecosystems
  • The vulnerabilities provide sufficient value to maintain in attacker toolkits
  • Remediation should be treated as urgent rather than scheduled maintenance

Federal agencies must comply with Binding Operational Directive 22-01, which requires remediation of KEV-listed vulnerabilities within specified timeframes. Private sector organizations should treat these deadlines as best practice guidelines for their own security programs.

The Practical Impact of Legacy Vulnerability Exploitation

Organizations maintaining older Office installations face immediate risks from CVE-2009-0238. The vulnerability's age creates a false sense of security, with many administrators assuming that 17-year-old flaws no longer pose threats. This misconception enables successful attacks against environments where:

  • Legacy business applications require specific Office versions
  • Budget constraints delay software modernization
  • Testing cycles for new Office versions extend deployment timelines
  • Decentralized purchasing leads to inconsistent software versions

Attackers exploit these organizational realities by maintaining attack chains that work across multiple Office generations. The low cost of maintaining older exploits compared to developing new ones makes legacy vulnerabilities economically attractive for threat actors.

Mitigation Strategies for Vulnerable Environments

For organizations unable to immediately update vulnerable Office installations, several mitigation strategies can reduce risk:

  • Implement application whitelisting to prevent unauthorized PowerPoint execution
  • Configure Microsoft Office File Block policy to prevent opening of older file formats
  • Deploy enhanced mitigation experience toolkit (EMET) or equivalent exploit protection
  • Segment networks to limit lateral movement from compromised systems
  • Monitor for suspicious PowerPoint file execution and macro activity

SharePoint Server administrators should apply all available security updates immediately. Additional protective measures include reviewing and hardening SharePoint service accounts, implementing least-privilege access controls, and monitoring for unusual authentication patterns or data access.

The Broader Implications for Enterprise Security

CISA's action highlights systemic challenges in enterprise vulnerability management. The continued exploitation of CVE-2009-0238 reveals gaps in patch deployment processes, software lifecycle management, and risk assessment methodologies. Organizations must confront several uncomfortable truths:

  • Vulnerability age correlates poorly with actual risk
  • Attackers maintain capabilities longer than defenders maintain defenses
  • Software support lifecycles often conflict with operational requirements
  • Compliance frameworks sometimes prioritize recent vulnerabilities over actively exploited ones

Effective vulnerability management requires continuous reassessment of older flaws based on threat intelligence rather than arbitrary age thresholds. Security teams should prioritize remediation based on exploitation evidence, asset criticality, and attack impact rather than vulnerability publication dates.

Forward-Looking Security Recommendations

Microsoft's response to these vulnerabilities—a 2009 patch for CVE-2009-0238 and ongoing updates for SharePoint Server—demonstrates the different challenges posed by legacy versus current software. Organizations should implement several strategic improvements:

  • Establish formal processes for identifying and mitigating legacy vulnerabilities with known exploits
  • Develop contingency plans for rapid patching when older vulnerabilities resurface in threat intelligence
  • Implement application inventory and vulnerability mapping across all software generations
  • Participate in information sharing programs to receive early warnings about resurgent threats
  • Consider legacy system isolation or replacement when security risks outweigh operational benefits

CISA's KEV Catalog additions serve as a reminder that cybersecurity requires both forward-looking protection and backward-looking remediation. The most dangerous vulnerabilities aren't always the newest ones—they're the ones attackers find most useful, regardless of when they were discovered.

Security teams should treat CISA's KEV Catalog as a living threat intelligence feed rather than a compliance checklist. Each addition represents not just another vulnerability to patch, but a window into attacker tradecraft, targeting priorities, and exploitation economics. By understanding why attackers continue to use 17-year-old exploits, defenders can better anticipate which of today's vulnerabilities might still be threatening in 2043.