The interesting security story this week is not just that two more vulnerabilities landed in CISA’s Known Exploited Vulnerabilities catalog. It is which ones landed there. In the span of a few days, CISA flagged CVE-2009-0238, a Microsoft Excel remote code execution bug first disclosed in 2009, and CVE-2026-34197, an Apache ActiveMQ flaw that Horizon3 traced back roughly 13 years. One bug is old enough to remember Office 2007. The other lived quietly inside a message broker that still runs real infrastructure.
That is not a weird coincidence. It is the shape of the market now. The exploit queue has entered its archaeology era.
The Excel case is the cleaner symbol. Microsoft’s MS09-009 bulletin shipped on April 14, 2009 and described CVE-2009-0238 as a publicly disclosed memory corruption issue in Excel that was already being exploited at the time. The mechanics were old-school Office misery: convince a victim to open a specially crafted spreadsheet containing a malformed object, then get remote code execution in the context of the logged-in user. Microsoft was blunt about the consequence even then: successful exploitation could let an attacker take complete control of the system.
Seventeen years later, NVD now shows CISA adding that same bug to KEV on 2026-04-14, with remediation due by 2026-04-28. The old bug did not become less real because its disclosure date looked antique. It became newly urgent because somebody still found it useful enough to weaponize against living targets.
That is the part too many security dashboards still flatten into a bland metric. A KEV entry is not just a CVE with a fresh timestamp. It is evidence that dead software history still has an attack budget.
The ActiveMQ case is even more revealing because the exploit path is not nostalgic at all. Apache’s own advisory for CVE-2026-34197 describes a default Jolokia access policy that permits exec operations on ActiveMQ MBeans. An authenticated attacker can abuse BrokerService.addNetworkConnector(String) or addConnector(String) with a crafted discovery URI, trigger the VM transport’s brokerConfig parameter to load a remote Spring XML application context, and reach arbitrary code execution before the broker finishes validating configuration. That is not a folklore bug. That is a modern Java enterprise own-goal built from management APIs, permissive defaults, and dynamic configuration machinery.
The reason it belongs in the same story as Excel is age plus role. According to The Register’s writeup, CISA added the flaw to KEV after active exploitation, with federal agencies told to patch by April 30. The same report cites more than 8,000 internet-reachable ActiveMQ instances tracked by ShadowServer. Worse, the bug gets nastier on ActiveMQ 6.0.0 through 6.1.1 because CVE-2024-32114 can expose the Jolokia endpoint without authentication, turning an “authenticated” flaw into something much closer to unauthenticated remote code execution.
That chain is the archaeology pattern in miniature. Old code paths do not stay isolated. They accrete new defaults, new surfaces, new neighboring bugs, and new operational bad habits like exposed consoles and admin:admin. A latent flaw becomes newly valuable because the environment around it kept evolving.
This is why I think the usual security vocabulary is getting a little too comforting. We talk about “technical debt” as if the main consequence is maintenance drag. That is not what these cases show. These are not slowdowns. They are buried privileges.
Legacy code has become a form of stored offensive energy.
The broader exploitation data points in the same direction. VulnCheck’s State of Exploitation 2026 reports that 884 KEVs saw first observed exploitation in 2025, and 28.96 percent were exploited on or before the day the CVE was published. That number tells the obvious story about speed. But the April Excel and ActiveMQ cases tell a second story about patience. Attackers are not only racing brand-new disclosures. They are also working the backlog, testing whether supposedly solved bugs remain reachable through old viewers, old brokers, old management interfaces, old compatibility packs, and old assumptions nobody was paid to revisit.
In other words, the exploit economy is doing what any mature economy does. It arbitrages neglected inventory.
That has a few consequences defenders should stop pretending are edge cases.
First, patch status is not the same thing as exposure status. CVE-2009-0238 had a patch in 2009. ActiveMQ now has fixed versions in 5.19.4 and 6.2.3 according to Apache’s advisory. Neither fact guarantees anything if the vulnerable product is still sitting in a long-tail environment, wrapped in a compatibility layer, preserved in a gold image, or exposed through some unloved internal service that became externally reachable two reorganizations ago.
Second, management planes deserve much more suspicion than they usually get. The ActiveMQ bug is nasty precisely because it lives in the sort of feature set enterprises love to keep around: administrative bridges, dynamic connector setup, remote configuration loading, and middleware that is supposed to make a sprawling system easier to operate. Those are convenience features until they become remote command runners.
Third, security programs need better historical memory. The KEV list is useful, but it is reactive and compressed. It tells you a thing is now burning. It does not tell you whether your environment is full of product families whose old components never really died. If your asset inventory still treats legacy Office viewers, compatibility packs, old brokers, or forgotten management consoles as somebody else’s problem, you are not managing risk. You are curating a museum with live ammunition.
The ugly cultural lesson is that software rarely disappears when the industry narrative says it should. It lingers in subsidiaries, labs, factories, shared drives, vendor appliances, VM templates, and migration projects that were always supposed to finish next quarter. Security people know this already. What is changing is that attackers increasingly know how to monetize it systematically.
That is why these April KEV additions matter more than a lot of shinier zero-day theater. A 17-year-old Excel exploit and a 13-year-old broker bug both becoming current again is a reminder that the attack surface is not a timeline. It is a sediment layer.
The defenders who win the next few years will not just be the ones who react fastest to the newest CVE. They will be the ones who get serious about excavating the old code that still has production authority before someone else does it for them.