The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two security vulnerabilities affecting Microsoft Office and HPE OneView to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence that the flaws are being actively abused by threat actors.
The move highlights growing concerns about unpatched enterprise software being leveraged in real-world attacks.
Vulnerabilities Added to KEV Catalog
The following security issues have been officially flagged by CISA:
- CVE-2009-0556 (CVSS 8.8)
A code injection vulnerability in Microsoft Office PowerPoint that can allow remote attackers to execute arbitrary code through memory corruption. - CVE-2025-37164 (CVSS 10.0)
A critical code injection flaw in HPE OneView that enables unauthenticated remote attackers to achieve full remote code execution.
HPE OneView Risk Details
Hewlett Packard Enterprise disclosed last month that CVE-2025-37164 affects all OneView versions earlier than 11.00. To address the issue, HPE released hotfixes for versions 5.20 through 10.
Although there are currently no confirmed public reports detailing real-world exploitation, security firm eSentire revealed on December 23, 2025, that a fully functional proof-of-concept exploit for the vulnerability has been published.
According to eSentire, the availability of exploit code significantly raises the likelihood of widespread attacks, especially in environments running outdated versions of OneView.
Exploitation Status Remains Unclear
While CISA has confirmed active exploitation, the source, scale, and threat actors behind the attacks remain unknown. The inclusion of these vulnerabilities in the KEV catalog strongly suggests confirmed malicious use in operational environments.
Federal Agencies Given Deadline
Under Binding Operational Directive 22-01, U.S. Federal Civilian Executive Branch agencies are required to remediate the listed vulnerabilities by January 28, 2026, to reduce exposure to ongoing cyber threats.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
