Old Office and Acrobat Bugs Are Still Current Risk

Old document bugs keep returning to the queue

April 2026 KEV additions included legacy document-handling issues across Microsoft Office, VBA, and Adobe Acrobat. Some of the CVEs are old by calendar age, but active exploitation evidence makes them current for defenders.

This is the part of vulnerability management that feels unfair: a system can be old, boring, and still operationally relevant.

Inventory file handlers

Start by understanding which systems still open risky document types. Executive assistants, finance teams, legal teams, HR, support queues, and shared kiosks often process files from outside the organization. Those endpoints deserve special attention.

Inventory should include Office versions, Adobe Reader or Acrobat versions, browser PDF behavior, protected view settings, macro policy, and email attachment controls.

Reduce exposure before perfect patching

Patching is required, but exposure reduction buys time. Disable unnecessary file associations, restrict macro execution, isolate high-risk attachment workflows, and make sure sandboxing features are enabled where appropriate.

For teams with unmanaged endpoints, prioritize the systems that receive external files first.

Train around the workflow, not the CVE

Users do not need to memorize CVE IDs. They need to understand the risky workflow: unexpected documents, password-protected attachments, urgent invoice language, and files that ask them to disable protections. Keep training tied to the real process they use.

Source note

This brief is based on CISA KEV additions for CVE-2009-0238, CVE-2012-1854, CVE-2020-9715, and CVE-2026-34621, with vendor references including Microsoft MS09-009, Microsoft MS12-046, and Adobe APSB26-43.