A 17-year-old Excel vulnerability is currently being exploited by threat actors, and it's been flagged by the US' cyber defence agency

Fallout hacking minigame — (Image credit: Bethesda)

Though the world of hacking is only getting more and more advanced, some exploits have seemingly stuck around unchanged for years. Originally filed back in February 2009, one curious vulnerability has caught the eyes of the US government.

Published in a report this week by the American Cybersecurity and Infrastructure Security Agency (CISA), a 17-year-old exploit in Microsoft Office has been flagged as being actively exploited by threat actors (via The Register). The specifics on how to do this exploit have not been shared, but the record was last updated in 2018, implying some new information was found almost a decade after it was first spotted.

This exploit has a severity score of 8.8, which is very high. However, that does not automatically mean it was super popular or common: the rating is a measure of how severe the consequences of an exploit are, paired with factors like ease-of-use. But even so, a score this high means bad news.

The reason it was added to CISA's list of vulnerabilities is that it is now considered active, which implies some threat actor, or group of threat actors, has managed to use the same method today. Microsoft did patch the problem back when it first showed up, but CISA has given it two weeks to patch it once more.

📢 Stay informed on the latest vulnerabilities with @CISAgov's Vulnerability Bulletin & gain valuable insights into emerging threats. 💡Check out the latest updates: https://t.co/uawsKV3yTD #Cybersecurity #InfoSec #VulnerabilityManagement pic.twitter.com/ue6PtW8sDdApril 14, 2026

Alongside this, CISA has also flagged up a brand new exploit which uses Microsoft Office SharePoint to "perform spoofing over a network." This one is less severe, at a score of 6.5, though it is considered active and is even automatable. This means the likes of AI agents can do this exploit en masse.

AI is a major proponent of the growth of cybercrimes, with it being a focal point of the nearly $21 billion lost to cybercrime scams last year. Not only have we seen AI used in the research of scams and the automation of them, but we've also seen some rather devious schemes with it, including deepfaking CEOs to prompt users to troubleshoot, only for the troubleshooting program to contain nasty files.

Just because the world is adopting AI into every approach doesn't mean that threat actors won't pull out the classics when they seemingly work so well. Some things never change.

Best gaming rigs 2026

1. Best gaming laptop: Razer Blade 16

2. Best gaming PC: HP Omen 35L

3. Best handheld gaming PC: Lenovo Legion Go S SteamOS ed.

4. Best mini PC: Minisforum AtomMan G7 PT

5. Best VR headset: Meta Quest 3

👉Check out our list of guides👈

TOPICS

James is a more recent PC gaming convert, often admiring graphics cards, cases, and motherboards from afar. It was not until 2019, after just finishing a degree in law and media, that they decided to throw out the last few years of education, build their PC, and start writing about gaming instead. In that time, he has covered the latest doodads, contraptions, and gismos, and loved every second of it. Hey, it’s better than writing case briefs.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.