CVE-2009-0556: The 2009 PowerPoint But that Refuses to Die

In 2009, LevelBlue Vice President of Security Research Ziv Mador and Cristian Craioveanu worked at the Microsoft Malware Team and documented a notable code injection vulnerability on certain versions of Windows PowerPoint (Windows PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3, and PowerPoint in Microsoft Office 2004 for Mac.)

The bug, CVE-2009-0556, enables remote attackers to execute arbitrary code by using a PowerPoint file with an OutlineTextRefAtom that contains an invalid index value that triggers memory corruption.

So, let’s revisit CVE-2009-0556 from its original disclosure examines why it has become relevant again nearly two decades later, and analyzes what its KEV designation tells us about the current state of enterprise security, patch hygiene and adversary tradecraft.

This vulnerability was one of many issues disclosed during an era when legacy Windows components, permissive default configurations, and limited exploit mitigations were common across enterprise environments. The vulnerability was addressed; advisories were published, and guidance on how to avoid it was provided. The industry then moved on.

Figure 1. Wayback Machine Screenshot of Microsoft Malware Protection Center

Source: https://web.archive.org/web/20090406105859/blogs.technet.com/mmpc/archive/2009/04/02/new-0-day-exploits-using-powerpoint-files.aspx 

Or so it seemed.

Figure 2. CISA-KEV CVE-2009-0556

Source: https://www.cisa.gov/known-exploited-vulnerabilities-catalog 

Fast forward to 2026, and CVE-2009-0556 has resurfaced with heightened attention after being added to the CISA Known Exploited Vulnerabilities (KEV) Catalog on January 7, 2026. Its inclusion signals a critical reality that defenders cannot ignore. Vulnerabilities do not cease to be relevant simply because they are old. When legacy systems, misconfigurations, or backward-compatible components persist, old attacks persist as well.

When legacy systems cannot be decommissioned, the associated risk must be managed through strict isolation. These systems should be segmented from the enterprise network and never exposed to the public Internet, with compensating controls in place to reduce exploitability when patching is no longer feasible.