The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a new security warning after adding two vulnerabilities affecting Microsoft Office and HPE OneView to its Known Exploited Vulnerabilities (KEV) catalog. This means the flaws are not just theoretical but are being actively exploited by attackers.

The first vulnerability, tracked as CVE-2009-0556, affects Microsoft Office PowerPoint. With a high CVSS score of 8.8, this flaw allows attackers to execute malicious code remotely through specially crafted PowerPoint files. Once a victim opens the file, the system can be compromised without any obvious signs.

The second and more critical issue is CVE-2025-37164 in HPE OneView, which carries a maximum CVSS score of 10.0. This vulnerability enables remote code execution without authentication, making it especially dangerous. HPE confirmed that all OneView versions prior to 11.00 are affected and has released hotfixes for versions 5.20 through 10.

While large-scale attacks have not yet been widely reported, the risk is considered serious. In December 2025, cybersecurity firm eSentire revealed that a working proof-of-concept exploit for the HPE OneView vulnerability had been made public. The availability of such exploit code significantly increases the likelihood of real-world attacks, particularly against unpatched systems.

CISA has set a clear deadline for action. Under Binding Operational Directive (BOD) 22-01, U.S. federal agencies must apply the required security updates by January 28, 2026. Organizations outside the government sector are strongly encouraged to follow the same guidance.

In short, if your environment still relies on outdated versions of Microsoft Office or HPE OneView, now is the time to act. Applying security updates promptly is a critical step to protect systems, data, and business operations from active cyber threats.

^{Source: https://thehackernews.com/2026/01/cisa-flags-microsoft-office-and-hpe.html}