CISA Adds Two Known Exploited Vulnerabilities to Catalog
CISA has added two actively exploited vulnerabilities, CVE-2009-0238 (Microsoft Office RCE) and CVE-2026-32201 (Microsoft SharePoint Server Improper Input Validation), to its Known Exploited Vulnerabilities (KEV) Catalog. Organizations are strongly urged to prioritize timely remediation of these vulnerabilities to reduce their exposure to cyberattacks.
Authors: CISA
Source:
CISA
Key Takeaways
- CISA added two vulnerabilities to the Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation.
- CVE-2009-0238 is a Remote Code Execution vulnerability affecting Microsoft Office.
- CVE-2026-32201 is an Improper Input Validation vulnerability affecting Microsoft SharePoint Server.
- Federal Civilian Executive Branch (FCEB) agencies are required to remediate these vulnerabilities by a specified due date under BOD 22-01.
- All organizations are strongly urged to prioritize timely remediation of these vulnerabilities to reduce cyberattack exposure.
Affected Systems
- Microsoft Office
- Microsoft SharePoint Server
- Federal Civilian Executive Branch (FCEB) networks
Vulnerabilities (CVEs)
- CVE-2009-0238
- CVE-2026-32201
Attack Chain
Malicious cyber actors are actively exploiting CVE-2009-0238 in Microsoft Office to achieve remote code execution and CVE-2026-32201 in Microsoft SharePoint Server via improper input validation. Specific attack chains, payloads, and post-exploitation activities are not detailed in the alert.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
N/A
Detection Engineering Assessment
EDR Visibility: Medium — EDR may detect post-exploitation activity resulting from Office RCE or SharePoint exploitation, though specific payloads are unknown. Network Visibility: Medium — Network sensors may detect anomalous inbound requests to SharePoint or malicious document downloads, but signatures depend on the specific exploit variants. Detection Difficulty: Moderate — Without specific IOCs or exploit payloads provided, detection relies on identifying generic post-exploitation behaviors or having up-to-date vulnerability scanners.
Required Log Sources
- Web Server Logs
- Endpoint EDR/AV Logs
- Application Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for unusual child processes spawning from Microsoft Office applications (e.g., cmd.exe, powershell.exe) which may indicate exploitation of CVE-2009-0238. | Process Creation Events (Event ID 4688 / Sysmon Event ID 1) | Execution | Medium |
| Monitor SharePoint server logs for anomalous input patterns or unexpected errors that could indicate attempts to exploit the improper input validation vulnerability (CVE-2026-32201). | Web Server/Application Logs | Initial Access | High |
Control Gaps
- Lack of timely patching for known vulnerabilities
Key Behavioral Indicators
- Unexpected child processes from Office applications
- Anomalous web requests to SharePoint servers
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Patch Microsoft Office to remediate CVE-2009-0238.
- Patch Microsoft SharePoint Server to remediate CVE-2026-32201.
Infrastructure Hardening
- Implement a robust vulnerability management program to prioritize KEV catalog items.
- Ensure SharePoint servers are not unnecessarily exposed to the public internet.
User Protection
- Deploy endpoint protection to block malicious Office documents.
- Implement email filtering to prevent delivery of weaponized attachments.
Security Awareness
- Train users to be cautious when opening Office documents from untrusted sources.
MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1203 - Exploitation for Client Execution