United States issues a warning about Microsoft Excel
The United States has issued a warning about an actively exploited vulnerability affecting Microsoft Excel users who have not yet updated to the latest version of the software.
America’s cyberdefence agency, CISA, said a 17-year-old Excel exploit can allow threat actors to gain control of entire systems.
All major banks in South Africa, including Nedbank, Standard Bank, Old Mutual, Absa, FNB, First Rand, Capitec, and even the South African Reserve Bank, use Microsoft Excel.
Financial providers such as Discovery, Sanlam, OUTsurance, Momentum, and Santam, as well as fintechs like PalmPay and iKhokha, also use the software.
Companies that have not yet updated to the latest versions of Microsoft 365 are being warned that the vulnerability is being exploited, meaning attacks are already underway.
Only older versions of Excel are affected, meaning any company or individual who uses Microsoft Office Excel 2000, 2002, 2003, or 2007 is at risk.
It also affects individuals or companies using Microsoft Office compatibility packs from 2007, which were offered for free and widely used as a bridge between older and newer software.
These packs allow users with older versions of Microsoft software to open newer file formats like .docx and .xlsx. Mac users running Office from 2004 to 2008 are also at risk from the vulnerability.
At the time the exploit was first discovered, Microsoft reported that it allowed “remote attackers to execute arbitrary code via a crafted Excel document.”
This triggers an access attempt on an invalid object, a file that Excel spreadsheets do not recognise and cannot accurately render. Initially, this was launched via a Trojan called Trojan.Mdropper.ac.
“An attacker who successfully exploited these vulnerabilities could take complete control of an affected system,” said Microsoft in a 2009 advisory.
Attackers could use the exploit to install programs, delete data, and create new accounts with full user rights — essentially the worst kind of cyberattack possible.
Find and remove any traces of Excel pre-2008 from your systems
CISA urged agencies within the U.S. government to update to the latest version of Excel to avoid being affected by the 2009 exploit.
Agencies in government must now find and remove any traces of Excel from 2004 to 2008 on all systems within two weeks, even if they are no longer using the legacy software.
CISA also highlighted a new Microsoft SharePoint server vulnerability, tracked as CVE-2026-33201, that could allow threat actors to create a fake SharePoint login page to steal credentials.
The warnings from CISA are another wake-up call for companies and governments worldwide to adopt cybersecurity best practices and always keep software up to date.
According to a 2025 study from PWC South Africa, local companies highlighted that one of the biggest challenges in withstanding major cyberattacks was reliance on legacy systems.
Many organisations in South Africa are reactive rather than proactive, choosing solutions to address today’s risks rather than those that are still emerging and may carry unknowns.
American cybersecurity firm Palo Alto Networks said in March that cybercriminals worldwide were specifically targeting legacy systems of major entities such as ports, utilities, and transport networks.
“These environments often rely on older systems that cannot be easily patched,” explained Justin Lee, Palo Alto regional director for Southern Africa.
“Securing them requires visibility not just across the IT network, but deep into the industrial control systems that manage essential services.”
Palo Alto shared that an organisation in South Africa is breached by a threat actor every three hours, with 284 breaches reported to the Information Regulator every month.
One of South Africa’s largest payment processors, Adumo, was a recent victim of a breach. An attacker claimed to have obtained source code and other sensitive company information.
The company told us that threat actors breached an “external system that was previously used to share files with integration partners.” Over 14GB of data was stolen from this system.
While the company said the breach did not impact business operations, the threat actor advertised the sale of source code for the company’s payment systems.
Loading ...