The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently identified and added two significant security vulnerabilities affecting Microsoft Office and Hewlett Packard Enterprise (HPE) OneView to its Known Exploited Vulnerabilities (KEV) catalog. This action underscores the critical nature of these flaws and the necessity for immediate remediation to protect organizational networks from potential exploitation.
Identified Vulnerabilities
1. CVE-2009-0556: This vulnerability is a code injection flaw in Microsoft Office PowerPoint, carrying a Common Vulnerability Scoring System (CVSS) score of 8.8. It allows remote attackers to execute arbitrary code through memory corruption, potentially leading to unauthorized control over affected systems.
2. CVE-2025-37164: With a CVSS score of 10.0, this critical vulnerability in HPE OneView enables remote, unauthenticated users to perform remote code execution. HPE has acknowledged that all versions of OneView prior to 11.00 are affected and has released hotfixes for versions 5.20 through 10 to address this issue.
Implications and Risks
The inclusion of these vulnerabilities in the KEV catalog indicates active exploitation in the wild, posing significant risks to organizations utilizing the affected software. The public availability of proof-of-concept (PoC) exploit code, particularly for CVE-2025-37164, amplifies the threat, as it lowers the barrier for potential attackers to exploit these vulnerabilities.
Recommended Actions
In response to these threats, CISA advises Federal Civilian Executive Branch (FCEB) agencies to implement the necessary patches by January 28, 2026, in accordance with Binding Operational Directive (BOD) 22-01. Organizations outside the federal sector are also strongly encouraged to apply these updates promptly to mitigate the risk of exploitation.
Conclusion
The active exploitation of these vulnerabilities highlights the ever-present need for vigilance and proactive cybersecurity measures. Organizations must prioritize the timely application of security patches and updates to safeguard their systems against emerging threats.
