The U.S. Cybersecurity and Infrastructure Security Agency has added two security vulnerabilities affecting Microsoft Office and Hewlett Packard Enterprise OneView to its Known Exploited Vulnerabilities catalog, citing evidence of active exploitation. The update was issued on Wednesday as part of CISA’s ongoing effort to alert organizations to security weaknesses that pose an immediate risk to operational environments. The inclusion of these flaws in the KEV catalog signals that threat actors are actively abusing them, increasing the urgency for organizations to apply available mitigations and updates. While the precise scope and origin of the attacks remain unclear, the decision reflects CISA’s assessment that the vulnerabilities represent a credible threat to public and private sector networks.
One of the vulnerabilities, tracked as CVE-2009-0556 with a CVSS score of 8.8, impacts Microsoft Office PowerPoint. The flaw is a code injection issue caused by memory corruption that allows remote attackers to execute arbitrary code on affected systems. Despite its age, the vulnerability remains relevant due to the continued presence of legacy systems and unpatched environments. The second vulnerability, CVE-2025-37164, carries a critical CVSS score of 10.0 and affects HPE OneView, an infrastructure management platform widely used in enterprise environments. This flaw allows a remote unauthenticated attacker to achieve remote code execution, posing significant risk to organizations relying on OneView for infrastructure orchestration and management.
Details about CVE-2025-37164 were disclosed last month when HPE confirmed that all versions of OneView prior to 11.00 are affected. The company released hotfixes covering OneView versions 5.20 through 10, urging customers to update their systems as quickly as possible. While there have been no public reports directly linking the vulnerabilities to widespread attacks in live environments, security researchers have warned that exploit activity is likely to increase. A report published by eSentire on December 23, 2025, highlighted the availability of a detailed proof of concept exploit for CVE-2025-37164. According to eSentire, the public release of exploit code significantly raises the likelihood of abuse, particularly in environments that have not yet applied the recommended patches.
CISA’s inclusion of both vulnerabilities in the KEV catalog brings specific compliance expectations for U.S. government agencies. Under Binding Operational Directive 22-01, Federal Civilian Executive Branch agencies are required to remediate identified KEV vulnerabilities within defined timelines. For these two flaws, agencies have been advised to apply the necessary fixes by January 28, 2026, to protect their networks from active threats. Although the directive applies directly to federal agencies, CISA continues to emphasize that state, local, tribal, and private sector organizations should treat KEV listings as high priority indicators of risk. Security teams are encouraged to review their environments for exposure, apply vendor provided updates, and ensure that legacy systems are either patched or isolated to reduce the likelihood of compromise.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
