CISA flags actively exploited Office relic alongside fresh HPE flaw

Max-severity OneView hole joins a PowerPoint bug that should've been retired years ago

by · The Register

CISA has added a pair of security holes to its actively exploited list, warning that attackers are now abusing a maximum-severity bug in HPE's OneView management software and a years-old flaw in Microsoft Office.

The latest update to CISA's Known Exploited Vulnerabilities catalog flags CVE-2025-37164, a code injection vulnerability in HPE OneView, and CVE-2009-0556, a PowerPoint code injection bug that's been lurking for more than 15 years.

CVE-2025-37164 carries a perfect 10.0 CVSS score and affects HPE OneView, software used to manage servers, storage, and networking gear from a central console. In a December 18 advisory, HPE said the flaw could be exploited to inject and execute code, potentially granting full control of affected environments, though it did not say at the time whether attacks were already underway.

CISA's decision to add the flaw to its exploited-in-the-wild catalog suggests that has now changed, even if details remain thin. HPE did not respond to The Register's questions about whether attackers have been observed in customer environments, how many customers might be exposed, or if any data has been exfiltrated as a result of exploitation.

Security firms, however, previously warned that the bug was unlikely to remain theoretical for long. Following HPE's disclosure, a proof-of-concept exploit was published by Rapid7, which suggested defenders treat the issue as an assumed-breach scenario. eSentire noted that the availability of working exploit code significantly lowered the barrier for attackers to move from curiosity to compromise.

Alongside the OneView issue, CISA also flagged CVE-2009-0556, a Microsoft Office PowerPoint code injection vulnerability rated 8.8 on the CVSS scale. The bug, confirmed by Microsoft back in 2009, allows remote attackers to execute arbitrary code via memory corruption when a user opens a specially crafted PowerPoint file. Microsoft patched the issue years ago as part of MS09-017, but its appearance in the KEV catalog indicates that unpatched or unsupported systems are still being successfully targeted.

The two vulnerabilities have little in common. One is old enough to vote and should have been patched out of existence long ago, while the other is a fresh enterprise flaw buried in the machinery of modern datacenters. For attackers, age clearly isn't a deal-breaker if the exploit still works. ®

An early end to the holidays: 'Heartbleed of MongoDB' is now under active exploit: You didn't think you'd get to enjoy your time off without a major cybersecurity incident, did you?Brandon Vigliarolo, 30 Dec 2025From AI to analog, cybersecurity tabletop exercises look a little different this year: Practice makes perfectJessica Lyons, 26 Dec 2025WatchGuard sounds alarm as critical Firebox flaw comes under active attack: Newly disclosed vulnerability already being abused, users urged to lock down exposed firewallsCarly Page, 19 Dec 2025Amazon security boss blames Russia's GRU for years-long energy-sector hacks: 'Sustained focus on Western critical infrastructure'Jessica Lyons, 15 Dec 2025