The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two significant security flaws to its Known Exploited Vulnerabilities (KEV) catalog, warning of their active exploitation. These vulnerabilities affect widely used software from Microsoft and Hewlett Packard Enterprise (HPE), necessitating prompt action from organizations to protect their networks. The inclusion in the KEV catalog signifies a heightened risk due to confirmed instances of these security weaknesses being actively targeted by malicious actors.
Specifically, CISA has cataloged CVE-2009-0556, a memory corruption vulnerability in Microsoft Office PowerPoint that can lead to remote code execution, and CVE-2025-37164, a critical code injection flaw in HPE OneView that allows unauthenticated attackers to achieve similar outcomes. The agency’s directive mandates that federal agencies patch these vulnerabilities by January 28, 2026, to mitigate immediate threats, underscoring the urgency of addressing these now officially recognized exploits.
CISA Adds Exploited Vulnerabilities to KEV Catalog
CISA’s decision to add these two vulnerabilities to the KEV catalog highlights a growing trend of exploitation against both legacy and contemporary software. The Known Exploited Vulnerabilities catalog is a crucial resource for cybersecurity professionals, providing a curated list of vulnerabilities that are not merely theoretical but are actively being used in the wild. This designation obligates federal agencies to prioritize remediation efforts to prevent potential breaches.
The inclusion of CVE-2009-0556, despite its older nature, serves as a reminder that even outdated software can pose significant risks if not properly managed or secured. This vulnerability, with a CVSS score of 8.8, allows attackers to inject and execute arbitrary code by exploiting memory corruption issues within Microsoft Office PowerPoint. Such an exploit could give attackers a foothold into a network, potentially leading to data theft or further system compromise.
Meanwhile, CVE-2025-37164 represents a more immediate and critical threat, boasting a perfect CVSS score of 10.0. This vulnerability in HPE OneView, a critical infrastructure management tool, is described as a code injection flaw that can be exploited by remote, unauthenticated users. The potential for a widespread, unauthenticated attack on systems managed by HPE OneView makes this a high-priority concern for organizations relying on this software.
Details and Impact of the Vulnerabilities
Information regarding CVE-2025-37164 surfaced more recently, with HPE confirming last month that the vulnerability impacted all versions of OneView prior to version 11.00. The company has since released hotfixes for affected versions, spanning from 5.20 through 10, indicating that the issue has been recognized and addressed by the vendor. However, the wide scope of affected versions means that a significant number of organizations may still be at risk if they have not yet applied the necessary patches.
While CISA has confirmed active exploitation, the specific origins and the full scope of attacks targeting these two flaws remain unclear. Public reports detailing successful exploitation in the wild are not readily available. However, a report from cybersecurity firm eSentire on December 23, 2025, provided critical context by revealing the release of a detailed proof-of-concept (PoC) exploit for CVE-2025-37164. The public availability of such exploit code dramatically lowers the barrier to entry for attackers.
eSentire explicitly warned that “Public availability of PoC exploit code significantly increases the risk to organizations running affected versions of the application.” The firm strongly advised organizations to “apply the required updates to mitigate the potential risk of exploitation” due to the broad impact of CVE-2025-37164 across all versions preceding 11.00.
Mandates and Next Steps
Pursuant to Binding Operational Directive (BOD) 22-01, CISA is requiring Federal Civilian Executive Branch (FCEB) agencies to implement the necessary fixes for these vulnerabilities. The deadline set for these agencies to apply the patches is January 28, 2026. This directive emphasizes the federal government’s commitment to securing its networks against actively exploited threats and sets a clear expectation for timely remediation.
For organizations outside of the federal sector, while not under a direct mandate, the inclusion in the KEV catalog serves as a strong recommendation to prioritize patching these vulnerabilities. The evidence of active exploitation, coupled with the release of PoC exploit code, suggests that attackers are actively seeking targets. Organizations should consult their specific vendor advisories for Microsoft and HPE to verify their affected software versions and to obtain the latest patches and mitigation guidance.
The ongoing addition of vulnerabilities to CISA’s KEV catalog underscores the dynamic nature of the cybersecurity landscape. Organizations must maintain robust vulnerability management programs that include continuous monitoring, timely patching, and proactive defense strategies. The next expected step is for organizations to confirm their compliance with the BOD 22-01 deadline if applicable, and for all others to implement these patches as a matter of urgency to defend against known exploited vulnerabilities.