CISA Alerts on Active Exploitation of Microsoft Office and HPE OneView Vulnerabilities
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently identified and added two critical security vulnerabilities affecting Microsoft Office and Hewlett Packard Enterprise (HPE) OneView to its Known Exploited Vulnerabilities (KEV) catalog. This action underscores the immediate need for organizations to address these flaws due to evidence of their active exploitation.
Identified Vulnerabilities:
1. CVE-2009-0556: This vulnerability, with a Common Vulnerability Scoring System (CVSS) score of 8.8, pertains to a code injection flaw in Microsoft Office PowerPoint. It enables remote attackers to execute arbitrary code through memory corruption, potentially leading to unauthorized control over affected systems.
2. CVE-2025-37164: Assigned a CVSS score of 10.0, this critical vulnerability exists in HPE OneView. It allows remote, unauthenticated users to perform remote code execution, posing a significant risk to systems running versions prior to 11.00.
Details and Implications:
HPE disclosed details about CVE-2025-37164 last month, indicating that all versions of OneView before 11.00 are susceptible. To mitigate this risk, HPE has released hotfixes for versions 5.20 through 10.
While the exact scope and origin of attacks exploiting these vulnerabilities remain unclear, the release of a detailed proof-of-concept (PoC) exploit for CVE-2025-37164 on December 23, 2025, has heightened concerns. The availability of such exploit code significantly increases the risk to organizations using affected versions of the software.
Recommendations:
In accordance with Binding Operational Directive (BOD) 22-01, CISA advises Federal Civilian Executive Branch (FCEB) agencies to apply the necessary patches by January 28, 2026. This directive aims to secure networks against active threats by ensuring timely remediation of known vulnerabilities.
Conclusion:
The active exploitation of these vulnerabilities highlights the critical importance of prompt patch management and system updates. Organizations are urged to assess their systems for exposure to CVE-2009-0556 and CVE-2025-37164 and implement the recommended fixes without delay to safeguard their infrastructure against potential attacks.
