CISA Flags Microsoft Office and HPE OneView Vulnerabilities in KEV Catalog
The Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities affecting Microsoft Office and HPE OneView to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
Affected vulnerabilities
CVE-2009-0556 (CVSS 8.8)
A code execution vulnerability in Microsoft Office PowerPoint that allows attackers to execute arbitrary code via malicious presentation files exploiting memory corruption.CVE-2025-37164 (CVSS 10.0)
A critical vulnerability in HPE OneView that enables unauthenticated remote code execution. All versions prior to 11.00 are affected.
HPE disclosed the issue in December 2025 and released hotfixes for OneView versions 5.20 through 10.x, urging immediate updates.
Threat context
Although no large-scale exploitation campaigns have been publicly confirmed, a proof-of-concept (PoC) exploit for CVE-2025-37164 was released in late December 2025. Security researchers warn that public PoC availability significantly increases real-world exploitation risk.
Under Binding Operational Directive 22-01, U.S. federal agencies are required to apply fixes by January 28, 2026.
DIAMATIX Perspective
Inclusion in the KEV catalog is a strong signal that the risk is no longer theoretical. Even without confirmed widespread attacks, publicly available exploit code lowers the barrier for threat actors.
From an operational security standpoint, these cases reinforce the importance of:
prioritized vulnerability and patch management
continuous visibility into endpoint and infrastructure activity
correlation between known vulnerabilities and live threat signals
Organizations relying solely on scheduled patch cycles without active detection remain exposed during critical windows of opportunity for attackers.
Trusted · Innovative · Vigilant
Sources
CISA – Known Exploited Vulnerabilities (KEV) Catalog
Hewlett Packard Enterprise – OneView Security Advisory
eSentire – CVE-2025-37164 Analysis
