CISA KEV Catalog Update: Microsoft Office RCE and SharePoint Exploited

CISA Adds Critical Microsoft Vulnerabilities to KEV Catalog

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical update to its Known Exploited Vulnerabilities (KEV) Catalog, adding two Microsoft vulnerabilities based on evidence of active exploitation. This addition underscores the persistent threat posed by unpatched systems, even for older vulnerabilities, and highlights CISA’s directive for federal agencies, alongside a strong recommendation for all organizations, to remediate these flaws promptly. The vulnerabilities, a Remote Code Execution (RCE) in Microsoft Office and an improper input validation flaw in Microsoft SharePoint Server, represent frequent attack vectors that malicious cyber actors exploit to gain initial access, escalate privileges, or disrupt operations.

Technical Analysis of Exploited Vulnerabilities

CVE-2009-0238: Microsoft Office Remote Code Execution Vulnerability

This CVE refers to a critical flaw in Microsoft Office Excel that permits RCE. Despite its age, dating back to 2009, its inclusion in CISA’s KEV catalog signifies that unpatched instances remain a significant risk and are actively targeted by threat actors. Attackers typically exploit such vulnerabilities by crafting malicious Office documents (e.g., Excel spreadsheets) that, when opened, execute arbitrary code on the victim’s system. This could lead to full system compromise, data exfiltration, or the deployment of additional malware, establishing a foothold for further malicious activity. Organizations that have not diligently applied updates over the years, or those running legacy systems, are particularly vulnerable to this enduring threat.

CVE-2026-32201: Microsoft SharePoint Server Improper Input Validation Vulnerability

[CVE-2026-32201] identifies an improper input validation vulnerability within Microsoft SharePoint Server. While specific exploit details for this vulnerability are not publicly disclosed by CISA, improper input validation flaws can often be leveraged for various nefarious purposes, including Cross-Site Scripting (XSS), injection attacks, or even RCE in certain contexts. Such vulnerabilities allow attackers to submit malformed data that the application fails to properly sanitize, leading to unexpected and exploitable behavior. Given SharePoint’s common role in enterprise collaboration and document management, successful exploitation of this flaw could enable unauthorized access to sensitive information, defacement of portals, or compromise of the underlying server infrastructure. The proactive listing of this vulnerability in the KEV catalog underscores its immediate threat potential despite its future-dated identifier, implying active reconnaissance or exploitation attempts are underway or highly anticipated.

The Significance of CISA’s KEV Catalog and BOD 22-01

CISA’s Known Exploited Vulnerabilities Catalog is a dynamic list of security flaws for which there is confirmed evidence of active exploitation. Its purpose, formalized by Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, is to compel Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by specified due dates. While BOD 22-01 directly applies only to FCEB entities, CISA consistently urges all organizations, regardless of sector, to adopt the same rigorous approach to their vulnerability management practices. The presence of a vulnerability in the KEV catalog means it is a proven target for adversaries, and its continued existence in any environment significantly elevates an organization’s risk profile.

Actionable Recommendations and Mitigation Strategies

Protecting against these actively exploited vulnerabilities requires prompt and decisive action. Organizations must prioritize the timely remediation of all vulnerabilities listed in CISA’s KEV Catalog.

Prioritizing Remediation for CVE-2026-32201 and Other KEVs

1. Immediate Patching: For CVE-2009-0238 and CVE-2026-32201, apply all available security updates and patches from Microsoft for affected Office and SharePoint Server versions. Ensure all systems running these applications are updated without delay. This is the single most effective Microsoft Office Remote Code Execution vulnerability mitigation and remediation for SharePoint flaws.
2. Asset Inventory: Maintain an accurate and up-to-date inventory of all software and hardware assets. This includes identifying all instances of Microsoft Office, particularly older versions, and SharePoint Server deployments within the environment.
3. Vulnerability Scanning: Conduct regular and comprehensive vulnerability scans across the network to identify unpatched systems and ensure CISA KEV Catalog remediation guidance is followed consistently.
4. Endpoint Protection: Deploy and maintain robust Endpoint Detection and Response (EDR) solutions to detect and prevent exploitation attempts, even if patches are pending. Configure these solutions to block suspicious execution originating from Office documents or web application interactions.
5. Network Segmentation: Implement network segmentation to limit the potential for lateral movement if an exploitation attempt is successful on an endpoint or server.
6. User Awareness Training: Educate users about the risks of opening suspicious attachments or clicking malicious links, particularly concerning Office documents and SharePoint access. Phishing (Phishing) remains a primary delivery mechanism for exploits targeting end-users.
7. Logging and Monitoring: Enhance logging on Office and SharePoint servers, and integrate these logs into a Security Information and Event Management (SIEM) system. Monitor for unusual activity, failed patch deployments, or indicators of compromise (IoC) associated with these vulnerabilities.
8. Least Privilege: Implement the principle of least privilege for all users and applications, minimizing the potential impact of a successful exploit.

By adopting these measures, organizations can significantly reduce their exposure to threats leveraging these and other actively exploited vulnerabilities, enhancing their overall security posture.