CISA Flags HPE OneView Critical Flaw and 15-Year-Old PowerPoint Bug

TL;DR

CISA added two vulnerabilities to its Known Exploited Vulnerabilities list: CVE-2025-37164, a maximum-severity code injection flaw in HPE OneView, and CVE-2009-0556, a long-standing PowerPoint code-execution bug. Security firms had already published exploit proof-of-concept code for the HPE issue, and the inclusion of the PowerPoint defect indicates older, unpatched systems remain targets.

What happened

The Cybersecurity and Infrastructure Security Agency (CISA) updated its Known Exploited Vulnerabilities catalog to include two distinct remote code execution flaws. The first, CVE-2025-37164, affects HPE OneView—an infrastructure management platform for servers, storage and networking—and carries a CVSS score of 10.0; HPE warned in a December 18 advisory that the flaw can permit injected code to run, potentially enabling full control of affected systems. Security researchers subsequently published proof-of-concept exploit code, raising concerns that attackers could quickly weaponize the defect. The second entry, CVE-2009-0556, is a memory-corruption code-execution vulnerability in Microsoft PowerPoint that dates back more than 15 years and was addressed by Microsoft in MS09-017; its addition to CISA’s list suggests that unpatched or unsupported installations are still being exploited. HPE did not provide public answers about observed intrusions, customer impact or data loss.

Why it matters

• A CVSS 10.0 flaw in a management console can give attackers broad control over datacenter infrastructure if exploited.
• Public release of exploit code lowers the technical barrier for attackers to move from discovery to compromise.
• The PowerPoint bug demonstrates that aging, unpatched software can remain an active threat vector even after official patches.
• Organizations must monitor both new critical enterprise bugs and legacy vulnerabilities on unsupported systems.

Key facts

• CISA added CVE-2025-37164 (HPE OneView) and CVE-2009-0556 (Microsoft PowerPoint) to its Known Exploited Vulnerabilities catalog.
• CVE-2025-37164 is a code injection vulnerability with a CVSS score of 10.0.
• HPE OneView manages servers, storage and networking from a central console.
• HPE published an advisory on December 18 stating the OneView flaw could be used to inject and execute code.
• Security researchers, including Rapid7, released a proof-of-concept exploit for the OneView vulnerability.
• eSentire warned that available exploit code reduces the effort required for attackers to exploit the bug.
• CVE-2009-0556 is a PowerPoint memory-corruption code injection flaw rated 8.8 and was fixed by Microsoft in MS09-017.
• CISA’s inclusion of the 2009 PowerPoint bug indicates attackers are successfully targeting systems that remain unpatched or unsupported.
• HPE did not answer questions about whether attackers had been observed in customer environments, the number of exposed customers, or any data exfiltration.

What to watch next

• Whether HPE publishes details on the scope of active exploitation and customer impact — not confirmed in the source.
• If evidence of data exfiltration tied to the OneView exploit emerges — not confirmed in the source.
• Any follow-up technical indicators or campaign details from CISA or security vendors that clarify attack methods — not confirmed in the source.

Quick glossary

• CISA: U.S. Cybersecurity and Infrastructure Security Agency, a federal agency that tracks and issues guidance on cyber threats and vulnerabilities.
• CVE: Common Vulnerabilities and Exposures, a standard identifier for publicly known cybersecurity vulnerabilities.
• CVSS: Common Vulnerability Scoring System, a numeric scale (0-10) used to indicate the severity of a vulnerability.
• Proof-of-concept (PoC): Demonstration code or steps that show how a vulnerability can be exploited, which can assist defenders but also enable attackers.
• HPE OneView: An infrastructure management platform used to administer servers, storage and networking from a centralized console.

Reader FAQ

Which vulnerabilities did CISA add to its exploited list?
CISA added CVE-2025-37164 (HPE OneView) and CVE-2009-0556 (Microsoft PowerPoint).

Is the HPE OneView flaw being actively exploited?
CISA’s addition indicates exploitation in the wild, but HPE did not confirm specific observations or affected customer counts.

Has HPE said whether data was stolen via the OneView exploit?
Not confirmed in the source.

Was the PowerPoint vulnerability already patched?
Microsoft fixed the PowerPoint issue in MS09-017, but CISA’s listing suggests unpatched or unsupported systems remain targeted.

CYBER-CRIME CISA flags actively exploited Office relic alongside fresh HPE flaw Max-severity OneView hole joins a PowerPoint bug that should've been retired years ago Carly Page Thu 8 Jan 2026 // 13:44 UTC CISA…

Sources

• CISA flags actively exploited Office relic alongside fresh HPE flaw
• CISA flags exploited Office relic alongside fresh HPE flaw
• CISA Adds Two Known Exploited Vulnerabilities to Catalog
• Known Exploited Vulnerabilities Catalog

Related posts

• Maximum-severity n8n flaw enables unauthenticated takeover of servers
• OpenAI applies patchwork fixes as ChatGPT prompt-injection flaws persist
• Examining a recurring BGP route leak from Venezuela’s CANTV (AS8048)