CISA Flags Microsoft Office and HPE OneView Bugs as Actively Exploited

CISA Flags Microsoft Office and HPE OneView Bugs as Actively Exploited

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2009-0556 (Microsoft Office) and CVE-2025-37164 (HPE OneView) to its Known Exploited Vulnerabilities (KEV) catalog. CVE-2025-37164, a critical vulnerability in HPE OneView, carries a CVSS score of 10.0.

Why This Matters

Ideal security models assume prompt patching, but real-world enterprise environments often lag due to complexity and testing requirements. Unpatched vulnerabilities, especially those with publicly available exploits, represent a significant risk; a single successful exploit can lead to widespread system compromise and data breaches, potentially costing organizations millions in remediation and fines.

Key Insights

• CVE-2009-0556 (CVSS 8.8): A 15-year-old code injection flaw in Microsoft Office PowerPoint remains a threat due to continued use of vulnerable software versions.
• Proof-of-Concept (PoC) Exploits: eSentire reported a PoC exploit for CVE-2025-37164 on December 23, 2025, dramatically increasing exploitation risk.
• Binding Operational Directive (BOD) 22-01: Mandates FCEB agencies patch KEV vulnerabilities within a defined timeframe, currently set to January 28, 2026.

Practical Applications

• Use Case: Managed service providers (MSPs) must proactively identify and patch these vulnerabilities across their client networks.
• Pitfall: Ignoring KEV vulnerabilities can lead to compliance violations and increased cyber insurance premiums.

References:

• https://thehackernews.com/2026/01/cisa-flags-microsoft-office-and-hpe.html