A 17-year-old Excel vulnerability is currently being exploited by threat actors, and it's been flagged by the US' cyber defence agency

17-Year-Old Excel Vulnerability Now Being Exploited

Though the world of hacking is only getting more and more advanced, some exploits have seemingly stuck around unchanged for years. A recent alert from the US government highlights a critical security issue: a 17-year-old Excel vulnerability is currently being exploited by threat actors. Originally filed back in February 2009, this curious flaw has finally caught the eyes of federal authorities after remaining dormant on detection lists for over a decade.

Published this week by the American Cybersecurity and Infrastructure Security Agency (CISA), this Excel vulnerability in Microsoft Office is now flagged as being actively exploited by threat actors. The specifics on how to execute this exploit have not been shared publicly, but the record was last updated in 2018, implying that new information regarding its activity was found almost ten years after it was first spotted. It seemingly allows remote attacks to execute code via a specifically crafted Excel document, posing a severe risk to users worldwide.

The Mechanics of an Active Remote Code Execution Flaw

In its initial discovery, this attack vector was used to install a Trojan dropper on a device, which would then inject further malware to compromise the system. The ability to upload nefarious software remotely is naturally a rather dangerous exploit, especially when it bypasses modern security measures that were not designed for such legacy code. This remote code execution capability allows attackers to gain unauthorized control over systems without direct physical access or user interaction beyond opening the malicious file.

The severity score for this flaw stands at an alarming 8.8, which is considered very high in the cybersecurity landscape. However, that does not automatically mean it was super popular or common; rather, the rating measures how severe the consequences of an exploit are, paired with factors like ease-of-use and likelihood of exploitation. Even so, a score this high combined with confirmed active usage means bad news for organizations still running unpatched legacy systems. The reason it was added to CISA's list of vulnerabilities is that it is now considered active, implying some threat actor has managed to use the same method today despite Microsoft patching it years ago.

New SharePoint Risks and the Role of AI in Cybercrime

Alongside this historic flaw, CISA has also flagged up a brand new exploit which uses Microsoft Office SharePoint to "perform spoofing over a network." This one is less severe at a score of 6.5, though it is considered active and is even automatable by scriptable tools. The ability for these attacks to be automated means the likes of AI agents can now execute this exploit en masse, significantly scaling the threat landscape.

AI has become a major proponent of the growth of cybercrimes, serving as a focal point in the nearly $21 billion lost to cybercrime scams last year. Threat actors are increasingly leveraging technology for:

• Researching new scam vectors and targets with unprecedented speed
• Automating phishing campaigns and social engineering attacks at scale
• Creating deepfakes of CEOs to prompt users to troubleshoot fake issues, only for the troubleshooting program to contain nasty files

Just because the world is adopting AI into every approach doesn't mean that threat actors won't pull out the classics when they seemingly work so well. Some things never change, and as seen with this 17-year-old Excel vulnerability, legacy flaws can resurface to cause modern chaos if left unaddressed. Microsoft initially patched the problem back when it first showed up, but CISA has given organizations two weeks to patch it once more to mitigate the current active threat.