The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added two security flaws affecting Microsoft Office and Hewlett Packard Enterprise’s (HPE) OneView to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The vulnerabilities are listed below –
CVE-2009-0556 (CVSS Score: 8.8) – Code injection vulnerability in Microsoft Office PowerPoint allows remote attackers to execute arbitrary code via memory corruption CVE-2025-37164 (CVSS Score: 10.0) – Code injection vulnerability in HPW OneView allows remote unauthenticated users to execute arbitrary code.
Details about CVE-2025-37164 were revealed last month when HPE said the vulnerability affected all versions of the software prior to version 11.00. The company also provided hotfixes for OneView versions 5.20 to 10.
The scope and origin of attacks targeting the two flaws are currently unknown, and there appear to be no public reports mentioning actual exploitation. However, an eSentire report on December 23, 2025 revealed that a detailed proof-of-concept (PoC) exploit for CVE-2025-37164 has been released.
“When PoC exploit code is published, it significantly increases the risk for organizations running affected versions of the application,” eSentire said. “This vulnerability affects all versions prior to 11.0, so organizations are strongly encouraged to apply the necessary updates to reduce the potential risk of exploitation.”
Pursuant to Binding Operating Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are encouraged to apply necessary fixes by January 28, 2026 to protect their networks from active threats.
Source link
