CISA Warns of Active Attacks Exploiting Microsoft Office and HPE OneView Flaws

byRohit.nex Published:

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has raised a serious alarm. On Wednesday, the agency added two security weaknesses—one affecting Microsoft Office and the other impacting Hewlett Packard Enterprise (HPE) OneView—to its Known Exploited Vulnerabilities (KEV) catalog. This means there is real evidence that attackers are already taking advantage of these flaws, putting organizations at risk.

CISA Warns of Active Attacks Exploiting Microsoft Office and HPE OneView Flaws

For security teams, this is not just another routine update—it’s a reminder of how quickly overlooked software can turn into an open door for attackers.

The vulnerabilities identified are:

  • CVE-2009-0556 (CVSS score: 8.8) – A dangerous code injection flaw in Microsoft Office PowerPoint. By exploiting a memory corruption issue, a remote attacker could run malicious code on a victim’s system.
  • CVE-2025-37164 (CVSS score: 10.0) – A critical code injection vulnerability in HPE OneView that allows an unauthenticated attacker to execute code remotely, giving them powerful control over affected systems.

Information about CVE-2025-37164 surfaced last month when HPE confirmed that all versions of OneView earlier than version 11.00 are vulnerable. To address the issue, the company released hotfixes for OneView versions 5.20 through 10, urging customers to act quickly.

At the moment, the full scale and origin of the attacks exploiting these flaws remain unclear. There are no widely known public reports detailing real-world attacks yet. However, concern grew after cybersecurity firm eSentire reported on December 23, 2025, that a working proof-of-concept (PoC) exploit for CVE-2025-37164 had been released.

According to eSentire, the public availability of exploit code sharply increases the danger. “When attackers can easily access PoC code, the risk rises dramatically,” the company warned. Because every OneView version before 11.0 is affected, organizations are strongly encouraged to apply updates immediately to avoid potential compromise.

In line with Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies have been advised to install the required patches no later than January 28, 2026. The message is clear: delaying fixes could leave networks exposed to active and evolving threats.

For many defenders, this update is a stressful but familiar reminder—staying secure isn’t just about knowing the risks, but acting on them before attackers do.

Tags:

You might like

View all
Previous Post Next Post
Share to other apps
Copy Post Link