The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Wednesday added two security flaws impacting Microsoft Workplace and Hewlett Packard Enterprise (HPE) OneView to its Identified Exploited Vulnerabilities (KEV) catalog, citing proof of energetic exploitation.
The vulnerabilities are listed under –
- CVE-2009-0556 (CVSS rating: 8.8) – A code injection vulnerability in Microsoft Workplace PowerPoint that enables distant attackers to execute arbitrary code by way of reminiscence corruption
- CVE-2025-37164 (CVSS rating: 10.0) – A code injection vulnerability in HPW OneView that enables a distant unauthenticated person to carry out distant code execution
Particulars of CVE-2025-37164 emerged final month when HPE mentioned the vulnerability impacts all variations of the software program previous to model 11.00. The corporate additionally made accessible hotfixes for OneView variations 5.20 by way of 10.
The scope and supply of the assaults focusing on the 2 flaws is presently unclear, and there look like no public experiences referencing their exploitation within the wild. Nevertheless, a report from eSentire on December 23, 2025, revealed the discharge of an in depth proof-of-concept (PoC) exploit for CVE-2025-37164.
“Public availability of PoC exploit code considerably will increase the chance to organizations working affected variations of the applying,” eSentire mentioned. “Because the vulnerability impacts all variations previous to 11.0, organizations are strongly suggested to use the required updates to mitigate the potential danger of exploitation.”
Pursuant to Binding Operational Directive (BOD) 22-01, Federal Civilian Government Department (FCEB) companies are really useful to use the required fixes by January 28, 2026, to safe their networks in opposition to energetic threats.
