Defender 0-Day, SonicWall & Excel RCE: What East Africa Must Patch Now

Severity Rating: CRITICAL

This week's threat bulletin is not background noise. It is a multi-front attack wave hitting the exact tools that East African government agencies, banks, and critical infrastructure operators depend on every single day. Three vulnerabilities stand above the rest in terms of immediate risk to organizations in Kenya, Somalia, Ethiopia, and across the Horn of Africa.

The Threats

1. Windows Defender 0-Day (Actively Exploited)

A zero-day vulnerability in Microsoft Windows Defender is being actively exploited in the wild, with no patch available at time of writing. Attackers are using this flaw to bypass endpoint protection entirely, meaning your antivirus is not just failing - it is being weaponized against you. Organizations running unmanaged or under-monitored Windows endpoints are at highest risk. This includes the vast majority of government ministries, county governments, and regional bank branches across East Africa.

2. SonicWall Brute-Force Attacks

SonicWall firewalls and VPN appliances are being subjected to large-scale, automated brute-force campaigns. SonicWall devices are widely deployed across East African enterprises and ISPs as perimeter security and remote-access gateways. A successful breach grants attackers full network access - behind the firewall, past the perimeter, with a direct path to internal systems. CISA has confirmed this as an active exploitation vector added to its Known Exploited Vulnerabilities (KEV) catalog.

3. CVE-2009-0238: A 17-Year-Old Microsoft Excel RCE - Still Being Exploited

This is not a typo. CVE-2009-0238, a remote code execution vulnerability in Microsoft Excel that is 17 years old, has been added to CISA's KEV catalog based on confirmed active exploitation. Attackers are embedding malicious Excel files in emails targeting finance and procurement teams. If your organization is running legacy or unpatched Microsoft Office installations - a common reality in budget-constrained public sector environments across the region - this vulnerability is an open door.

Impact Assessment for East Africa

Banking and financial institutions in Kenya, Ethiopia, and Somalia face the highest combined risk. SonicWall devices are common perimeter controls in branch networks. Excel is the dominant tool for financial reporting, loan processing, and inter-branch data sharing. A single malicious spreadsheet sent to a loan officer or finance manager can trigger a full network compromise.

Government and GovTech agencies are exposed on two flanks. The Defender 0-day neutralizes endpoint protection on Windows systems that form the backbone of most public sector ICT infrastructure. Kenya's ongoing digital government initiatives - e-citizen portals, IFMIS, and county-level systems - all run on Windows environments that depend on Defender as a primary control layer.

Critical infrastructure operators, including power utilities and telecoms, face lateral movement risk through SonicWall VPN brute-force. Remote access to operational technology (OT) networks - SCADA systems, substations, network operations centers - often routes through exactly these appliances.

Separately, CISA added CVE-2026-32201 (Microsoft SharePoint) and CVE-2026-1340 (Ivanti EPMM) to its KEV catalog this same week, compounding the patch burden for IT teams already stretched thin.

Immediate Actions: Do These Today

• Audit all SonicWall deployments. Enforce account lockout policies, rotate all VPN credentials, disable unused admin interfaces, and check for unrecognized active sessions immediately.
• Disable Excel macro execution via Group Policy across all workstations. Block inbound Excel files from external email senders at the mail gateway where operationally possible.
• Activate your EDR platform's tamper-protection and ensure Defender is reporting to a centralized SIEM or MDR service. A 0-day is not survivable without compensating detection controls.
• Patch aggressively and prioritize CISA KEV. Every CVE on CISA's Known Exploited Vulnerabilities catalog represents a confirmed, active threat. Apply patches in order of KEV listing, not CVSS score alone.
• Verify your backup integrity today. If any of these vulnerabilities are being exploited in your environment, ransomware deployment is the likely end-state. Offline, tested backups are your last line of defence.

DRONGO Recommendation

This week's bulletin describes exactly the threat environment DRONGO's Managed Detection and Response (MDR) and Vulnerability Management services are built to address. Our SOC team, operating with regional context and 24/7 coverage, monitors for exploitation of active KEV entries across client environments in Kenya, Somalia, and Ethiopia. We can assess your SonicWall exposure and patch posture within 48 hours.

Is your organization protected? Request a free security assessment.