CISA Adds Microsoft PowerPoint And HPE OneView Flaws To Known Exploited Vulnerabilities
U.S. federal cybersecurity authorities have formally recognized a legacy Microsoft PowerPoint code injection flaw and a critical Hewlett Packard Enterprise OneView remote code execution vulnerability as actively exploited, triggering mandatory patching timelines for federal agencies and significantly raising the urgency for enterprises that still rely on affected software versions. The inclusion of these issues in the Known Exploited Vulnerabilities catalog indicates adversaries are now weaponizing them in the wild, and organizations must treat both flaws as high-priority incidents requiring immediate technical remediation and compensating controls.
Overview Of The Newly Flagged Vulnerabilities
The first vulnerability is tracked as CVE-2009-0556, a long-standing code injection and memory corruption flaw in Microsoft Office PowerPoint that allows remote attackers to execute arbitrary code via specially crafted presentation files. Despite its age, the vulnerability remains relevant in environments where legacy Office installations persist, particularly in organizations with slow upgrade cycles or embedded document-handling workflows that still rely on older formats and runtimes.
The second vulnerability, CVE-2025-37164, affects HPE OneView, an infrastructure management platform used to provision, monitor, and automate servers, storage, and networking in data centers. It is rated with a maximum CVSS score of 10.0, reflecting the combination of remote exploitability, lack of authentication requirements, and full remote code execution on a central management system that often has highly privileged access to hardware and associated management networks.
CVE-2009-0556: Legacy Microsoft PowerPoint Code Injection
CVE-2009-0556 is a code injection vulnerability that stems from improper handling of crafted PowerPoint files within certain legacy versions of Microsoft Office. When a malicious presentation is opened, malformed structures in the file can trigger memory corruption in the PowerPoint process, ultimately allowing arbitrary shellcode execution within the context of the user who opened the file.
Technically, the bug is associated with unsafe parsing of complex presentation objects such as embedded media, malformed records, or control structures in the PowerPoint binary file format. An attacker can manipulate these structures to corrupt heap or stack memory, then leverage the corrupted state to overwrite function pointers, return addresses, or virtual function tables. This enables redirection of program execution to injected payloads that may be stored within the same file or in process memory.
Because the exploit is triggered through normal document handling, it aligns naturally with phishing and spear-phishing campaigns, where attackers send seemingly legitimate presentations to targeted users. In many organizations, opening PowerPoint files remains a routine activity and users may not recognize subtle indicators of malicious content, giving attackers a reliable vector for initial access.
Operational Impact Of CVE-2009-0556 Exploitation
Successful exploitation of CVE-2009-0556 gives attackers the ability to execute code with the privileges of the current user session. In typical enterprise deployments, this can enable the installation of remote access trojans, credential harvesters, or lateral movement tooling. When the victim is a user with elevated local rights or administrative access to additional systems, the resulting compromise can rapidly escalate to domain-level impact.
Even in environments where modern Office versions are widely deployed, legacy installations can persist on older systems, in isolated business units, or within virtualized desktops and terminal servers that have not been fully updated. Attackers often inventory internal environments after initial footholds and identify such outdated applications as ideal targets for follow-on exploitation, meaning this vulnerability can play a role in multi-stage intrusion chains rather than only initial compromise.
CVE-2025-37164: Critical Remote Code Execution In HPE OneView
CVE-2025-37164 affects HPE OneView versions prior to 11.00 and allows unauthenticated remote code execution. The vulnerability resides in server-side request handling and input processing within the OneView application stack, where improperly validated input can be coerced into unsafe code paths, enabling attackers to inject and execute arbitrary commands on the underlying system.
From an architectural perspective, HPE OneView typically sits in a highly sensitive portion of an enterprise network. It often has direct or indirect control over server provisioning, firmware updates, out-of-band management interfaces, and sometimes network automation. Compromising this platform allows an attacker to move below the operating system level into hardware management planes, where they can perform actions such as reimaging hosts, modifying firmware, or altering network configurations at scale.
Public proof-of-concept exploit code for CVE-2025-37164 was released in late December 2025, significantly lowering the barrier to exploitation for both advanced threats and opportunistic attackers. Working exploit scripts can automate the process of discovery and compromise, scanning for exposed OneView instances and remotely triggering the vulnerability without requiring valid credentials or prior access to the environment.
Attack Surface And Exploitation Scenarios For HPE OneView
HPE OneView is commonly deployed either on dedicated management networks or as virtual appliances. Misconfigurations, however, can expose its interfaces to broader internal segments or even to the internet, particularly when organizations integrate OneView with remote management workflows, external orchestration platforms, or third-party monitoring systems.
In a typical exploitation scenario, an attacker who discovers an accessible OneView instance can send crafted HTTP or API requests that trigger the vulnerable code path. Because the vulnerability does not require authentication, there is no need to brute-force passwords or obtain tokens. Once code execution is achieved, the attacker can deploy persistence mechanisms on the appliance, pivot to connected management networks, and use OneView’s privileged capabilities to manipulate large numbers of servers and storage devices.
Within a few steps, a successful compromise could lead to destructive outcomes such as wiping or corrupting boot volumes across multiple hosts, downgrading firmware to vulnerable versions, or tampering with network stack configurations to facilitate covert traffic redirection and man-in-the-middle operations. Such control at the infrastructure level can bypass many application-layer security controls and complicate incident response and recovery.
CISA Known Exploited Vulnerabilities Catalog And Federal Deadlines
The decision by U.S. cyber authorities to add these vulnerabilities to the Known Exploited Vulnerabilities catalog indicates that there is concrete evidence of exploitation in real-world attacks rather than only theoretical risk. Once a vulnerability is added, it is treated as a mandatory remediation item for federal agencies covered under relevant directives, and it is widely recognized as a practical threat for the private sector as well.
Under Binding Operational Directive 22-01, federal civilian executive branch agencies are required to remediate listed vulnerabilities within a defined timeframe. For CVE-2025-37164 in HPE OneView, the patch deadline is set for late January 2026, reflecting the severity of the flaw and the availability of working exploits. While exact exploitation details have not been widely disclosed, the directive implies active, in-the-wild abuse that could be targeted or opportunistic in nature.
Private organizations are not bound by the federal directive but can view the KEV catalog as a prioritized list of weaknesses that are being exploited across sectors. Aligning internal remediation priorities with KEV entries is often an effective way to reduce exposure to prevalent attack campaigns, particularly when security teams must triage numerous vulnerabilities under constrained resources.
Patch Availability And Upgrade Considerations
For CVE-2009-0556, patches have been available for many years in supported versions of Microsoft Office, and the primary challenge is not patch availability but identification and elimination of legacy software still in use. Organizations must perform targeted asset discovery to locate outdated Office installations on workstations, virtual desktops, and specialized systems, then apply the relevant updates or decommission these instances.
For CVE-2025-37164, HPE has released hotfixes for OneView versions 5.20 through 10 and has indicated that all versions prior to 11.00 are affected. Administrators must ensure that either the hotfixes are applied or that OneView deployments are upgraded to version 11.00 or later. Given the centrality of OneView to infrastructure management, upgrades and hotfix deployments should be accompanied by thorough change management, including snapshots or backups of configuration states, documented rollback plans, and coordination with operations teams to minimize service disruption.
In both cases, organizations should treat these updates as emergency changes when possible, rather than waiting for routine patch windows. Where operational constraints prevent immediate patching, compensating controls such as strict network segmentation, firewall rules, and temporary functional restrictions should be enforced until remediation is complete.
Detection, Monitoring, And Hardening Strategies
Detecting exploitation of CVE-2009-0556 requires a combination of endpoint telemetry and network monitoring. On endpoints, defenders should monitor for abnormal PowerPoint process behavior, such as unexpected child processes, shell interpreters, or script engines being launched from the PowerPoint process, as well as anomalous memory access patterns if endpoint detection and response tooling supports behavioral analytics. On the network side, unusual outbound connections originating shortly after a user opens a presentation can signal the presence of a secondary payload or command-and-control beacon.
For HPE OneView, defenders should log and scrutinize all requests to the management interface, focusing on anomalous patterns such as unexpected source IP addresses, unusual request methods or endpoints, and spikes in failed or malformed requests. Since exploitation can occur without authentication, detection logic must not rely solely on authentication failures or anomalies in user accounts. System-level logs from the OneView host and underlying operating system should also be collected, including markers of command execution outside normal administrative workflows.
Hardening HPE OneView involves restricting network exposure so that management interfaces are reachable only from tightly controlled administrative segments, implementing strong firewall policies, and using VPN or bastion hosts for administrative access. Integration credentials and API keys used between OneView and other tooling should be rotated after patching to limit the impact of any previously successful compromise. Additionally, security teams should validate firmware integrity and configuration baselines for managed hardware to detect potential tampering.
Risk Management And Long-Term Lessons
The inclusion of a vulnerability from 2009 alongside a brand-new critical issue in a modern infrastructure platform underscores the persistence of legacy risk and the importance of lifecycle management for both software and hardware. Attackers continually look for unpatched legacy systems that may have been overlooked in modernization projects, and they rapidly incorporate newly disclosed exploits into their toolkits when proof-of-concept code becomes public.
From a governance perspective, organizations should maintain accurate software and asset inventories, map vulnerabilities to business-critical services, and explicitly track exposure to entries in high-priority lists such as the Known Exploited Vulnerabilities catalog. Regular reviews of management-plane security, especially for tools like HPE OneView that can affect entire data centers, should be integrated into security programs, with clear ownership assigned for patching, configuration management, and continuous monitoring.
By promptly remediating CVE-2009-0556 and CVE-2025-37164, constraining access to management interfaces, and improving detection around document-handling and infrastructure orchestration tools, organizations can significantly reduce the likelihood that these actively exploited vulnerabilities will be used as entry points or force multipliers in broader intrusion campaigns.