CybersecurityLegal TechIn-House

CISA Flags 17-Year-Old Excel Vulnerability Amid Active Exploitation

2 min readSources: The Register

CISA added a critical 2009 Excel flaw to its exploited vulnerabilities list due to active attacks.

Why it matters: Law firms and corporate legal teams are at risk if legacy vulnerabilities go unpatched. Protecting client and internal data requires immediate attention to old, but newly exploited, flaws.

  • CVE-2009-3129, a 17-year-old Excel bug, was added to CISA's KEV Catalog on April 13, 2026.
  • The vulnerability enables remote code execution if a user opens a malicious Excel file.
  • Microsoft originally patched the flaw in November 2009 via MS09-067.
  • CISA urges organizations to remediate vulnerabilities from its KEV Catalog to reduce risk.

The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2009-3129—a critical Excel vulnerability discovered 17 years ago—to its Known Exploited Vulnerabilities (KEV) Catalog after confirming active exploitation as of April 13, 2026.

  • The bug is an out-of-bounds write issue in Microsoft Excel's FEATHEADER record parsing, potentially allowing remote code execution when a user opens a specially crafted Excel file.
  • Microsoft patched CVE-2009-3129 in November 2009 under security bulletin MS09-067, but the recent wave of attacks signals that many systems may still be vulnerable.

For legal organizations, the warning is clear: even well-aged vulnerabilities can be reweaponized. CISA stated, "These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise." The risk extends to private law firms and in-house counsel who regularly handle sensitive data.

The KEV Catalog is a continuously updated list highlighting actively exploited threats that demand urgent remediation. Firms should inventory their software, confirm patch status for legacy applications, and act swiftly if gaps remain.

Failure to patch old solutions, even those thought safe, can put critical corporate and client data at risk of compromise.

By the numbers:

  • 17 years — Age of the Excel vulnerability since initial release
  • 7.8 — CVSS v3.1 severity score assigned to CVE-2009-3129
  • April 13, 2026 — Date CISA added the flaw to the KEV Catalog

Yes, but: Current exploitation methods and the scale of attacks remain unclear, limiting risk assessment specificity.

Based on reporting from

Ancient Excel bug comes out of retirement for active attacks
The Register · Apr 15, 2026

Sponsors

Legal.io

Legal.io is a technology company building a connected network for legal professionals. Their platform enables lawyers and legal teams to collaborate, discover opportunities, and leverage technology to improve the practice of law.

Visit website →

Related articles

In-House

Meta Faces Major Trial Over Child Social Media Addiction Claims

As trial nears for Meta facing 33 state AGs' youth addiction suit, recent verdicts and court rulings point to rising tech liability risks for social media and minors.

Apr 16, 20263 min read
Legal TechIn-House

General Legal Launches as AI-Native Firm With $11.5M Backing

General Legal, founded by Cooley and Fenwick alumni, launches as an AI-native law firm, offering flat fees and rapid contract review with $11.5M in fresh funding.

Apr 16, 20262 min read
Legal Tech

Google Chrome Under Scrutiny for Fingerprinting Privacy Gap

Privacy experts warn Google Chrome's lack of fingerprinting protection could expose organizations to tracking risks and compliance challenges under GDPR, CCPA.

Apr 16, 20262 min read
Legal Tech

Delaware Court Penalizes StarTop for Evidence Destruction, Lies in NICbyte Case

Delaware Chancery Court sanctioned StarTop Investments for intentional spoliation and dishonesty, setting new standards for handling severe discovery abuses in complex litigation.

Apr 16, 20262 min read