← Back to all briefings
Cybersecurity 7 min read Published Updated Credibility 95/100

CISA Adds Critical HPE OneView and Legacy PowerPoint Vulnerabilities to

CISA added two actively exploited vulnerabilities to its Known Exploited Vulnerabilities Catalog on January 7, 2026: a critical CVE-2025-37164 remote code execution flaw in HPE OneView infrastructure management software and a legacy CVE-2009-0556 code injection vulnerability in Microsoft Office PowerPoint. Federal agencies must remediate by January 28, 2026, with all organizations strongly urged to prioritize these patches given confirmed active exploitation.

Kodi C.

Editor & Research Lead

Fact-checked and reviewed — Kodi C.

Cybersecurity pillar illustration for Zeph Tech briefings
Cybersecurity threat, control, and response briefings

The Cybersecurity and Infrastructure Security Agency (CISA) added two significant vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog on January 7, 2026, reflecting confirmed active exploitation in the wild. The additions include CVE-2025-37164, a maximum-severity remote code execution vulnerability in HPE OneView infrastructure management software, and CVE-2009-0556, a resurfaced legacy code injection flaw in Microsoft Office PowerPoint. Federal civilian executive branch agencies face a mandatory remediation deadline of January 28, 2026, while all organizations are strongly encouraged to treat these additions as high-priority patching targets.

CVE-2025-37164: HPE OneView remote code execution

CVE-2025-37164 represents a critical remote code execution vulnerability in Hewlett Packard Enterprise OneView, receiving the maximum CVSS score of 10.0. HPE OneView is widely deployed enterprise infrastructure management software used to provision, manage, and monitor servers, storage, and networking equipment across data center environments. The vulnerability allows unauthenticated remote attackers to inject and execute arbitrary code on vulnerable systems.

The attack surface created by this vulnerability is substantial. Successful exploitation grants attackers control over the OneView management platform, which typically has privileged access to firmware updates, configuration management, and lifecycle operations across entire server fleets. Compromising this central management point provides attackers with lateral movement pathways throughout enterprise infrastructure.

The vulnerability disclosure timeline contributed to elevated risk. A public proof-of-concept exploit became available just one day after HPE released patches, dramatically shortening the window available for defensive remediation. Organizations that did not implement patches within hours of release may have been exposed to exploitation attempts using publicly available attack code.

HPE released hotfix patches covering OneView versions 5.20 through 10.20. Organizations running versions prior to 11.00 should verify patch status immediately. The remediation process requires coordinated downtime planning, as OneView management platforms typically require restart after patch application. Organizations should prioritize this maintenance window given the severity and active exploitation status.

Infrastructure management platforms like OneView often receive less security monitoring attention than production workloads. Security operations teams should review whether OneView instances are appropriately segmented from general network traffic and whether management interface access is restricted to authorized administrator endpoints. Post-patch, organizations should conduct forensic analysis to identify potential prior compromise indicators.

CVE-2009-0556: Microsoft PowerPoint code injection

CVE-2009-0556 is a memory corruption vulnerability in legacy versions of Microsoft Office PowerPoint that enables arbitrary code execution through maliciously crafted presentation files. Originally disclosed in 2009, this vulnerability affects Microsoft Office PowerPoint 2000 SP3, 2002 SP3, 2003 SP3, and Office 2004 for Mac. The vulnerability has resurfaced in current attack campaigns, reflecting the persistence of legacy Office deployments in enterprise environments.

The attack vector requires user interaction, specifically opening a malicious PowerPoint file. However, social engineering techniques for document-based attacks remain highly effective, particularly when targeting users with access to legacy systems. Threat actors can distribute malicious presentations through phishing emails, compromised file shares, or watering hole attacks targeting organizations known to use legacy Office installations.

The resurgence of exploitation activity for a 15-year-old vulnerability highlights the ongoing security challenges posed by legacy software. Organizations often maintain older Office versions for compatibility with specialized applications, document archives, or systems that cannot support modern Office releases. These legacy deployments represent persistent attack surfaces that threat actors actively monitor for exploitation opportunities.

Remediation options include applying historical Microsoft security patches, upgrading to supported Office versions, or removing vulnerable installations entirely. Organizations should inventory their environment to identify all instances of affected Office versions. Automated scanning tools may not reliably detect legacy Office installations, requiring manual verification of software inventories.

Defense-in-depth measures provide additional protection against document-based attacks. Email filtering should block or quarantine PowerPoint files from untrusted sources. Application whitelisting can prevent execution of malicious payloads even if users open crafted documents. User awareness training should emphasize the risks of opening unexpected attachments, particularly document formats known to have historical exploitation activity.

KEV Catalog context and significance

CISA's Known Exploited Vulnerabilities Catalog serves as an authoritative record of vulnerabilities with confirmed active exploitation. Unlike general vulnerability databases that track all disclosed flaws, the KEV Catalog specifically identifies vulnerabilities that threat actors are actively using in real-world attacks. This focus on exploitation activity rather than theoretical risk makes KEV additions particularly significant for prioritization decisions.

Binding Operational Directive 22-01 requires federal civilian executive branch agencies to remediate KEV-listed vulnerabilities within specified timeframes. The January 28, 2026 deadline for these additions provides approximately three weeks for federal agencies to complete patching. While the directive's legal requirements apply only to federal agencies, CISA strongly recommends that all organizations treat KEV additions as priority remediation targets.

The inclusion of both a brand-new critical vulnerability and a decades-old legacy flaw reflects the diverse threat environment organizations must address. Attackers exploit whatever vulnerabilities provide access, regardless of whether those flaws are newly discovered or long-known. thorough vulnerability management must address both emerging and historical attack surfaces.

Organizations should integrate KEV Catalog monitoring into their vulnerability management processes. Automated feeds from CISA provide notification of new additions, enabling rapid prioritization of emerging exploitation risks. Many vulnerability management platforms now incorporate KEV status as a prioritization factor alongside CVSS scores and asset criticality.

Threat intelligence context

The January 2026 KEV additions occur against a backdrop of elevated threat activity. Threat intelligence sources report increased exploitation attempts targeting infrastructure management platforms, reflecting attacker interest in centralized systems that provide broad access to enterprise environments. HPE OneView joins a pattern of recent attacks against other infrastructure management tools including VMware, Ivanti, and various network management platforms.

Legacy software exploitation has also intensified as attackers recognize that many organizations maintain older systems. Campaigns targeting end-of-support Windows systems, deprecated Java versions, and unsupported productivity software demonstrate ongoing attacker interest in legacy attack surfaces. The PowerPoint vulnerability's inclusion in current campaigns suggests systematic attacker targeting of known legacy deployments.

Attribution for exploitation activity has not been publicly confirmed. However, the sophistication of infrastructure management platform attacks and the systematic targeting of legacy software are consistent with both nation-state and sophisticated criminal threat actors. Organizations in critical infrastructure sectors should assume heightened targeting risk and prioritize remediation accordingly.

Detection opportunities exist for both vulnerabilities. Network traffic analysis can identify exploitation attempts against HPE OneView management interfaces. Endpoint detection and response (EDR) solutions should flag suspicious activity following PowerPoint file execution. Security operations teams should review detection coverage and ensure alerting is appropriately configured for exploitation indicators.

Short-term steps

  • Immediately verify patch status for all HPE OneView instances and apply hotfixes for versions 5.20 through 10.20.
  • Conduct thorough inventory of Microsoft Office installations to identify legacy PowerPoint versions affected by CVE-2009-0556.
  • Plan and execute maintenance windows for OneView patching, prioritizing internet-exposed or high-value management instances.
  • Implement network segmentation for infrastructure management platforms if not already in place.
  • Review email filtering rules to ensure appropriate handling of PowerPoint attachments from external sources.
  • Update endpoint detection rules to monitor for exploitation indicators associated with both vulnerabilities.
  • Conduct forensic analysis of OneView systems to identify potential prior compromise, particularly for systems that remained unpatched after proof-of-concept release.
  • Brief security operations and incident response teams on the vulnerabilities and expected remediation timeline.

Analysis summary

The January 7, 2026 KEV additions highlight the dual challenge of addressing both cutting-edge and legacy vulnerabilities. CVE-2025-37164 in HPE OneView demonstrates how rapidly new critical vulnerabilities can move from disclosure to active exploitation, particularly when proof-of-concept code becomes publicly available. CVE-2009-0556 in legacy PowerPoint illustrates how historical vulnerabilities can resurface as attack vectors when legacy systems persist in enterprise environments.

Organizations should treat KEV Catalog additions as mandatory prioritization triggers, regardless of federal affiliation. The confirmation of active exploitation transforms theoretical risk assessments into concrete defensive urgency. Vulnerabilities that attackers are currently using deserve immediate remediation attention.

Infrastructure management platforms warrant particular security attention given their privileged access to enterprise systems. OneView, and similar platforms from other vendors, represent high-value targets that provide attackers with centralized control over diverse infrastructure components. Security programs should ensure these platforms receive appropriate monitoring, segmentation, and rapid patching.

Legacy software management remains a persistent security challenge. Organizations that cannot eliminate legacy deployments should implement compensating controls including network isolation, enhanced monitoring, and application whitelisting. The PowerPoint vulnerability's exploitation demonstrates that attackers actively seek out and exploit known legacy weaknesses.

More on this topic

Further reading from our research library.

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Cybersecurity Operations Playbook

    Use our research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.

  • Network Security Fundamentals Explained Practically

    A practitioner-focused guide to network security fundamentals covering firewalls, segmentation, IDS/IPS, DNS security, VPNs, wireless security, zero trust architecture, and traffic…

  • Small Business Cybersecurity Survival Checklist

    A budget-conscious cybersecurity checklist built specifically for small businesses. This guide covers foundational security policies, network hardening, employee training, phishing…

Coverage intelligence

Published
Coverage pillar
Cybersecurity
Source credibility
95/100 — high confidence
Topics
CISA KEV Catalog · HPE OneView CVE-2025-37164 · Microsoft PowerPoint CVE-2009-0556 · Vulnerability Management · Active Exploitation · Infrastructure Security
Sources cited
3 sources (cisa.gov, malwarebytes.com)
Reading time
7 min

Source material

  1. CISA Adds Two Known Exploited Vulnerabilities to Catalog — cisa.gov
  2. Known Exploited Vulnerabilities Catalog — cisa.gov
  3. CISA warns of active attacks on HPE OneView and legacy PowerPoint — malwarebytes.com
  • CISA KEV Catalog
  • HPE OneView CVE-2025-37164
  • Microsoft PowerPoint CVE-2009-0556
  • Vulnerability Management
  • Active Exploitation
  • Infrastructure Security
Back to curated briefings

Comments

Community

We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.

    Share your perspective

    Submissions showing "Awaiting moderation" are in review. Spam, low-effort posts, or unverifiable claims will be rejected. We verify submissions with the email you provide, and we never publish or sell that address.

    Verification

    Complete the CAPTCHA to submit.