CVE-2009-0238

Microsoft Office Remote Code Execution (CVE-2009-0238)

Initial Access Execution TA0059 Last updated:

CVE-2009-0238 is a remote code execution vulnerability in Microsoft Office (addressed in MS09-009) caused by improper handling of specially crafted Excel files, leading to arbitrary code execution in the context of the logged-on user. This vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog and has been actively exploited in the wild via malicious Office documents delivered through phishing campaigns.

Vulnerability Intelligence

KEV — Known Exploited

Affected Software

Vendor
Microsoft
Product
Office

Weakness (CWE)

CWE-94

Timeline

Disclosed
April 14, 2026

CVSS

Unscored
Write-up coming soon

What is CVE-2009-0238 Microsoft Office Remote Code Execution (CVE-2009-0238)?

Microsoft Office Remote Code Execution (CVE-2009-0238) (CVE-2009-0238) maps to the Initial Access and Execution tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for Microsoft Office Remote Code Execution (CVE-2009-0238), covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Microsoft Sentinel DeviceProcessEvents. The queries below are rated critical severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Initial Access Execution TA0059
Microsoft Sentinel / Defender
kusto 
let suspiciousOfficeProcs = dynamic(["cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "regsvr32.exe", "rundll32.exe", "certutil.exe"]);
DeviceProcessEvents
| where TimeGenerated >= ago(7d)
| where InitiatingProcessFileName in~ ("excel.exe", "winword.exe", "powerpnt.exe")
| where FileName in~ (suspiciousOfficeProcs)
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, InitiatingProcessParentFileName
| extend RiskIndicator = case(
    ProcessCommandLine contains "-enc" or ProcessCommandLine contains "-encoded", "Encoded Powershell",
    ProcessCommandLine contains "DownloadString" or ProcessCommandLine contains "WebClient", "Network Download",
    ProcessCommandLine contains "IEX" or ProcessCommandLine contains "Invoke-Expression", "In-Memory Execution",
    "Suspicious Child Process"
  )
| order by TimeGenerated desc

Detects Microsoft Office applications (Excel, Word, PowerPoint) spawning suspicious child processes indicative of CVE-2009-0238 exploitation, where a malicious document triggers code execution via a spawned shell or interpreter.

critical severity high confidence

Data Sources

Microsoft Defender for Endpoint Microsoft Sentinel DeviceProcessEvents

Required Tables

DeviceProcessEvents

False Positives

  • Legitimate macros in trusted documents that spawn command-line tools for business automation
  • IT administration scripts triggered from Office-integrated tooling
  • Developers running build or test scripts from within Excel or Word templates

Sigma rule & cross-platform mapping

The detection logic for Microsoft Office Remote Code Execution (CVE-2009-0238) (CVE-2009-0238) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2009-0238 Sigma rules on detection.fyi

Platform-specific guides for CVE-2009-0238

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-19 Research depth: standard
References (2)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Office Spawning PowerShell Encoded Command

    Expected signal: Sysmon Event ID 1 showing EXCEL.EXE as parent process of powershell.exe with a -EncodedCommand argument; DeviceProcessEvents in MDE capturing the parent-child chain

  2. Test 2Office Spawning CMD with Network Download

    Expected signal: Sysmon Event ID 1 for cmd.exe and certutil.exe processes; Sysmon Event ID 3 (Network Connect) from certutil.exe to 127.0.0.1:8888; Sysmon Event ID 11 for test_artifact.exe creation in TEMP

  3. Test 3Malicious Excel File Macro Execution Simulation via WScript

    Expected signal: Sysmon Event ID 11 for sim_payload.vbs creation; Sysmon Event ID 1 for wscript.exe and subsequently calc.exe process creation; parent chain visible in EDR

Unlock Pro Content

Get the full detection package for CVE-2009-0238 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002Execution

Related Techniques

T1203Exploitation for Client ExecutionT1566.001Spearphishing AttachmentT1059.001PowerShell

Same Tactic: Initial Access

Popular Detections