ForumsExploits17 Years Later: That Excel RCE and the Defender Zero-Day Reality Check

17 Years Later: That Excel RCE and the Defender Zero-Day Reality Check

whatahey 4/16/2026 USER

Anyone else refreshing their threat feeds this morning and wondering if it's 2009 again? The ThreatsDay Bulletin dropped some heavy hitters today. The one keeping me up is the RCE in Excel that's been lurking in the codebase for 17 years. It's essentially a ghost from the Office 2007 era coming back to haunt us.

From what I gather, the vulnerability (CVE-2026-39481) involves a parsing issue in legacy OLE objects. The attack vector is pretty standard—phishing mail with a malicious attachment—but the fact that it bypasses modern ASLR/DEP mitigations due to the age of the code structure is wild. Threat actors are leveraging it to drop Cobalt Strike beacons directly in memory.

On top of that, we're seeing active exploitation attempts against SonicWall SMA appliances (CVE-2026-22314). They're hitting the SSL VPN login portals with brute-force tools that bypass the default lockout policies using HTTP parameter pollution. And of course, the Defender 'BlueHammer' 0-day (CVE-2026-18544) is still causing headaches in EDR evasion circles.

Here is a quick KQL query I whipped up to hunt for suspicious parent-child processes involving Excel spawning PowerShell or cmd, which seems to be the post-exploitation behavior in the Excel campaigns:

DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName == "excel.exe"
| where InitiatingProcessFileName != "explorer.exe"
| where InitiatingProcessFileName != "outlook.exe"
| where ProcessCommandLine has any("powershell", "cmd", "cscript")
| project DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, AccountName

How is everyone handling the patch cycle for this Excel drop? Are you forcing updates through GPO immediately, or waiting for the next maintenance window given the compatibility risks with older sheets?

SO
SOC_Analyst_Jay4/16/2026

We are forcing the GPO update. The risk of a 17-year-old RCE being leveraged in a targeted campaign against our finance department outweighs the annoyance of a broken macro or two. We're also blocking Excel from spawning child processes unless signed by a specific cert using AppLocker policies until we can verify patch compliance across the fleet.

BL
BlueTeam_Alex4/16/2026

The SonicWall issue is actually stressing me out more than the Excel one right now. We don't use SMA appliances directly, but our MSP partners do. I've been running this GeoIP block on our firewall just to be safe against the VPN brute-force waves coming from known hostile IPs:

# GeoIP blocking for Russia, China, North Korea
sudo ufw deny from 185.220.0.0/16
sudo ufw deny from 103.0.0.0/8


It's a blunt instrument, but it lowers the noise significantly.
AP
API_Security_Kenji4/16/2026

That KQL query is solid, but you might want to filter out 'excel.exe' launching 'winword.exe' or vice versa. Office interop is noisy enough without the SOC getting spammed every time someone embeds a Word doc in an Excel sheet. We added a specific exclusion for 'mshta.exe' though—that's the real red flag for these legacy exploits.

Verified Access Required

To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.

Request Access

Thread Stats

Created4/16/2026
Last Active4/16/2026
Replies3
Views192

Similar Threads