Jan 08, 2026Ravie LakshmananVulnerability / KEV Catalog
The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Wednesday added two safety flaws impacting Microsoft Workplace and Hewlett Packard Enterprise (HPE) OneView to its Identified Exploited Vulnerabilities (KEV) catalog, citing proof of lively exploitation.
The vulnerabilities are listed under –
CVE-2009-0556 (CVSS rating: 8.8) – A code injection vulnerability in Microsoft Workplace PowerPoint that enables distant attackers to execute arbitrary code by way of reminiscence corruption
CVE-2025-37164 (CVSS rating: 10.0) – A code injection vulnerability in HPW OneView that enables a distant unauthenticated consumer to carry out distant code execution
Particulars of CVE-2025-37164 emerged final month when HPE stated the vulnerability impacts all variations of the software program previous to model 11.00. The corporate additionally made obtainable hotfixes for OneView variations 5.20 via 10.
The scope and supply of the assaults concentrating on the 2 flaws is presently unclear, and there seem like no public studies referencing their exploitation within the wild. Nevertheless, a report from eSentire on December 23, 2025, revealed the discharge of an in depth proof-of-concept (PoC) exploit for CVE-2025-37164.
“Public availability of PoC exploit code considerably will increase the danger to organizations working affected variations of the applying,” eSentire stated. “Because the vulnerability impacts all variations previous to 11.0, organizations are strongly suggested to use the required updates to mitigate the potential danger of exploitation.”
Pursuant to Binding Operational Directive (BOD) 22-01, Federal Civilian Government Department (FCEB) businesses are advisable to use the mandatory fixes by January 28, 2026, to safe their networks towards lively threats.
