CISA ADDS LEGACY OFFICE RCE AND SHAREPOINT FLAW TO KEV AS ACTIVE EXPLOITATION CONTINUES

Threat Summary

Category: Vulnerability Exploitation / Remote Code Execution / Enterprise Platform Risk
Features: Document-Based RCE, Input Validation Weakness, Server-Side Exploitation, Legacy Vulnerability Reuse
Delivery Method: Malicious Document Execution → Payload Deployment / SharePoint Request Manipulation → Server Compromise
Threat Actor: Multiple (Opportunistic and Targeted Exploitation)

---

The Cybersecurity and Infrastructure Security Agency has added two additional vulnerabilities to its Known Exploited Vulnerabilities Catalog, confirming active exploitation affecting Microsoft Office and Microsoft SharePoint Server environments.

The vulnerabilities identified include:

• CVE-2009-0238 — Microsoft Office Remote Code Execution vulnerability
• CVE-2026-32201 — Microsoft SharePoint Server improper input validation vulnerability

The inclusion of a vulnerability first disclosed in 2009 alongside a current-year SharePoint flaw reinforces a persistent condition across enterprise environments: legacy exposure remains operational when patching and system modernization lag behind threat activity.

CVE-2009-0238 enables remote code execution through malicious Office documents. When opened, the crafted file can trigger execution of arbitrary code within the user’s context. This class of vulnerability remains effective due to continued use of legacy Office components, backward compatibility dependencies, and document-based workflows that allow untrusted files to enter internal environments.

CVE-2026-32201 introduces risk at the server level within Microsoft SharePoint deployments. Improper input validation allows adversaries to manipulate request data, potentially leading to unauthorized execution, data access, or system compromise depending on configuration and privilege boundaries. SharePoint environments are frequently integrated into enterprise collaboration, document management, and internal workflow systems, making them high-value targets once exposed.

The KEV Catalog designation confirms that both vulnerabilities are not theoretical risks. They are actively being used in real-world intrusion attempts. This status elevates remediation urgency beyond standard patch cycles, requiring immediate prioritization.

Binding Operational Directive 22-01 mandates that Federal Civilian Executive Branch agencies remediate KEV-listed vulnerabilities within specified timelines. The directive establishes the catalog as an enforcement mechanism, aligning patching priorities with confirmed exploitation activity rather than severity scoring alone.

The risk extends beyond federal environments. Organizations operating Microsoft Office and SharePoint infrastructures face direct exposure when these vulnerabilities remain unpatched. Document-based attack vectors continue to serve as initial access points, while server-side weaknesses provide pathways for persistence and lateral movement.

Attack chains involving Office-based RCE frequently begin with phishing delivery, where malicious attachments are used to initiate execution. Once access is established, adversaries may pivot toward internal systems, targeting collaboration platforms such as SharePoint to expand control and access sensitive data repositories.

The continued exploitation of legacy vulnerabilities highlights a structural issue in vulnerability management. Systems that remain operational without full patch coverage provide a stable attack surface that requires no new exploit development. Adversaries reuse proven techniques against environments that have not closed known gaps.

---

Infrastructure at Risk

Enterprise endpoints running Microsoft Office, particularly those supporting legacy components or macros, are exposed to document-based execution attacks. SharePoint servers, both on-premises and hybrid deployments, represent critical infrastructure at risk due to their role in internal data storage and workflow management.

---

Policy / Allied Pressure

Binding Operational Directive 22-01 continues to drive federal remediation efforts, reinforcing a model where known exploited vulnerabilities are treated as immediate operational risks. Broader adoption of KEV-based prioritization is increasing across private sector environments as organizations align patching strategies with active threat intelligence.

---

Vendor Defense / Reliance

Mitigation requires immediate patch application, combined with restrictions on document execution, macro control policies, and enhanced email filtering. SharePoint environments require strict input validation controls, access segmentation, and monitoring of abnormal request patterns. Detection strategies must account for both endpoint and server-side activity.

---

Forecast — 30 Days

• Continued exploitation of legacy Office vulnerabilities through phishing campaigns
• Increased targeting of SharePoint servers for initial access and lateral movement
• Expansion of attack chains combining document-based entry with server compromise
• Accelerated scanning for unpatched enterprise collaboration platforms
• Increased prioritization of KEV-listed vulnerabilities across enterprise patch cycles

---

TRJ Verdict

The timeline does not protect the system.

A vulnerability from 2009 remains active because the environment still allows it. Age does not remove risk. It extends it.

The addition of a current SharePoint flaw alongside a legacy Office exploit defines the threat model. Attackers do not differentiate between old and new. They target what remains exposed.

The KEV Catalog reflects active exploitation, not theoretical weakness. Every entry represents access that is already being used.

The system is not breached by innovation. It is breached by persistence.

---

---

---

---

---

---

---

---

🔥 NOW AVAILABLE! 🔥

‎👉 Eclipsera – Apple Music

---

---

---

---

---