Severity: CRITICAL | Source: CISA KEV Catalog | Date: April 14, 2026

The Threat

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two Microsoft vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, confirming that both are being actively weaponized by threat actors in the wild. The two vulnerabilities are:

  • CVE-2009-0238 - Microsoft Office Remote Code Execution Vulnerability. A critical flaw in Microsoft Excel that allows an attacker to execute arbitrary code simply by convincing a user to open a malicious Office file. This vulnerability is 16 years old and is still being exploited today - a damning signal that unpatched legacy systems remain a primary attack surface across the region.
  • CVE-2026-32201 - Microsoft SharePoint Server Improper Input Validation Vulnerability. A newly confirmed flaw in SharePoint Server that enables attackers to inject and execute malicious input through the platform. SharePoint is a core document management and collaboration tool used by government agencies, banks, and telecoms across Kenya, Ethiopia, Somalia, and the broader Horn of Africa.

CISA's KEV Catalog is not a theoretical watchlist. Inclusion means real threat actors - including ransomware groups and state-sponsored operators - are using these exact vulnerabilities in live attacks right now.

Impact Assessment for East African Organizations

Government agencies in Kenya, Ethiopia, and Somalia rely heavily on Microsoft SharePoint as an intranet and document-sharing backbone. A successful exploit of CVE-2026-32201 could grant attackers persistent access to classified policy documents, citizen data, and inter-ministry communications - a direct violation of Kenya's Data Protection Act 2019 and Ethiopia's emerging data governance frameworks.

Financial institutions regulated by the Central Bank of Kenya (CBK) and the National Bank of Ethiopia face compounded risk. The Microsoft Office RCE flaw (CVE-2009-0238) is a classic phishing delivery mechanism. A single staff member opening a weaponized Excel attachment - common in finance teams processing invoices or reports - can hand an attacker full control of an endpoint. From there, lateral movement to core banking systems is a well-documented kill chain. This creates direct exposure under CBK's Prudential Guideline on Cybersecurity and PCI-DSS requirements.

Critical infrastructure operators - including power utilities and telecoms in Uganda, Tanzania, and Djibouti - using SharePoint for operational documentation are equally exposed. Downtime or data exfiltration at this level carries national-security implications, not just financial penalties.

The age of CVE-2009-0238 is particularly alarming for the region. Many East African organizations operate with extended hardware and software lifecycles due to budget constraints, meaning legacy Office installations are far more common here than in Western markets. Attackers know this.

Immediate Actions - Do These Now

  • Patch Microsoft SharePoint Server immediately. Apply all available Microsoft security updates for SharePoint, prioritizing CVE-2026-32201. Do not wait for your next scheduled maintenance window. Treat this as an emergency change.
  • Audit and upgrade all Microsoft Office installations. Any Office version that has not been fully patched and updated is a liability. Identify all endpoints running legacy Office builds - especially Excel - and push patches or isolate those machines from the network.
  • Block weaponized file delivery at the email gateway. Enforce strict filtering rules that block or sandbox incoming Excel (.xls, .xlsx, .xlsm) and other Office file attachments from external senders. This directly cuts the delivery chain for CVE-2009-0238 exploits.
  • Review SharePoint user permissions now. Apply the principle of least privilege across your SharePoint environment. If an attacker exploits CVE-2026-32201, narrow permissions limit the blast radius of what they can access or exfiltrate.
  • Activate enhanced monitoring on SharePoint and endpoint activity. Tune your SIEM or EDR to alert on anomalous SharePoint access patterns, unexpected macro execution in Office files, and lateral movement indicators. If you do not have active monitoring in place, this is the moment that gap becomes critical.

DRONGO Recommendation

Both vulnerabilities are actively exploited, not theoretical. DRONGO's SOC team is tracking threat actor activity associated with this CISA advisory across East African networks. If your organization runs SharePoint Server or any version of Microsoft Office and cannot confirm full patch compliance today, your exposure window is open. We can help you close it fast.

Is your organization protected? Request a free security assessment.