The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical warning by adding two serious vulnerabilities affecting Microsoft Office PowerPoint and Hewlett Packard Enterprise (HPE) OneView to its Known Exploited Vulnerabilities (KEV) Catalog, signaling that evidence of exploitation in the wild is strong enough to require immediate action by federal agencies and urgent attention across the private sector. The inclusion of these flaws on the KEV list — which CISA uses to prioritize vulnerabilities actively exploited by threat actors — highlights a worrying shift: even legacy software can still be weaponized decades after release, while modern infrastructure management platforms remain prime targets for attackers seeking remote control of enterprise systems. This comprehensive analysis explores what these vulnerabilities are, how they can be exploited, their real-world implications, and what organizations must do now to protect systems and data. Overview of CISA’s KEV Catalog and Why It Matters The Known Exploited Vulnerabilities Catalog is a list maintained by CISA that identifies vulnerabilities with confirmed evidence of exploitation in the wild. Unlike general vulnerability listings, inclusion in KEV means that the threat has moved beyond theoretical risk or lab proof-of-concept — attackers are actively using it against real targets. For organizations, this catalog is a key guide for prioritizing patching and mitigation, informing vulnerability management programs about which flaws pose the most immediate threat. CISA often frames patch deadlines for federal agencies under its Binding Operational Directive (BOD) 22-01, but the guidance is widely relied upon by private sector cybersecurity teams as a benchmark for urgency. The Microsoft Office PowerPoint Vulnerability: A Legacy Risk Revived One of the vulnerabilities CISA flagged is CVE-2009-0556, a code injection flaw in Microsoft Office PowerPoint that dates back more than 15 years and carries a high CVSS score of 8.8. How the Flaw Works This security weakness stems from improper handling of data within PowerPoint files, where an attacker can construct a malicious .ppt file that exploits a memory corruption issue when opened. When a victim opens such a crafted presentation, the flaw can allow arbitrary code execution — meaning code of the attacker’s choice could run on the target system. Who Is Affected Although the vulnerability was originally disclosed in 2009 and patched many years ago, the affected products include older versions of PowerPoint, such as: Microsoft Office PowerPoint 2000 SP3 PowerPoint 2002 SP3 PowerPoint 2003 SP3 PowerPoint in Microsoft Office 2004 for Mac These versions are long unsupported, and many organizations have migrated to modern Office installations. However, legacy systems still in use — often in industrial, educational, government, or niche enterprise environments — may remain vulnerable if they haven’t been updated or if historical file formats are still processed. Why This Old Flaw Still Matters CISA’s inclusion of such an old vulnerability underscores an important cybersecurity lesson: unsupported or end-of-life software can remain a real threat vector if still deployed in production environments. Attackers actively scan for such installations because they represent low-effort, high-reward opportunities for exploitation. Successful exploitation of CVE-2009-0556 can allow attackers to execute code at the level of the logged-in user, potentially leading to malware deployment, data theft, or further lateral movement within a network if additional privileges are gained. HPE OneView: A Critical Infrastructure Management Vulnerability The other vulnerability flagged by CISA is CVE-2025-37164, a maximum-severity remote code execution flaw in Hewlett Packard Enterprise OneView, a key platform used by organizations to manage servers, storage, and networking gear. Understanding HPE OneView HPE OneView is an infrastructure management solution that provides a unified interface for provisioning, monitoring, and automating data center systems. Its role in data center operations and automation means that a significant vulnerability in OneView can have broad and deep consequences for enterprise security. Technical Details of the Flaw The OneView vulnerability allows an unauthenticated remote attacker to execute arbitrary code on affected systems due to improper handling of input in a publicly accessible API. This essentially gives attackers a direct path to compromise systems without needing valid credentials. The flaw carries a CVSS score of 10.0, reflecting both the lack of authentication required and the potential impact of remote code execution. HPE has released patches for all affected versions prior to OneView 11.00, with hotfixes available for versions 5.20 through 10.x. Proof-of-Concept and Real-World Risk Security researchers rapidly published a proof-of-concept exploit shortly after HPE disclosed the issue and released its patches, underscoring the urgency of remediation. Publicly available exploit code significantly lowers the barrier for threat actors to weaponize the flaw and launch targeted or opportunistic attacks. Because OneView is often deployed deep inside enterprise networks and trusted by other systems, a breach here can cascade into wider infrastructure compromise, including unauthorized access to servers, storage arrays, firmware, and automation workflows. Federal Patch Deadlines and Broader Security Implications Under CISA’s Binding Operational Directive 22-01, Federal Civilian Executive Branch (FCEB) agencies are required to apply patches for vulnerabilities listed in the KEV catalog by January 28, 2026, including these two new entries. While this directive legally binds federal agencies, the alert also serves as a de facto industry urgency signal. Organizations outside the federal sphere — including critical infrastructure operators, private enterprises, and managed service providers — are strongly recommended to prioritize these vulnerabilities in their patch management cycles. The Broader Threat Landscape The stark contrast between a decades-old PowerPoint vulnerability and a modern infrastructure management flaw illustrates the diverse nature of attack surfaces today. Cyber adversaries are not limited to newly discovered bugs; they actively seek any chance to exploit overlooked or forgotten weaknesses. Legacy software is often found running in: Industrial control systems Financial institutions with complex compliance stacks Healthcare facilities with long hardware refresh cycles Education and research environments with mixed technology lifecycles Meanwhile, modern management tools like HPE OneView are central to enterprise operations, automating critical tasks, and often holding elevated privileges across systems. Their compromise can enable attackers to move laterally across environments and disrupt operational continuity. Practical Steps for Organizations Given the active exploitation and serious impact potential of these vulnerabilities, organizations should adopt a proactive, prioritized approach to patching and mitigation: 1. Prioritize Immediate Patch Deployment Apply available patches for HPE OneView and update Office installations or remove unsupported legacy software. Delaying these updates increases the likelihood of compromise. 2. Inventory Legacy Systems Identify and document older Office versions still in use. If legacy software cannot be upgraded for operational reasons, consider isolating systems or restricting access to reduce exploitation risk. 3. Monitor for Exploit Activity Deploy intrusion detection systems and threat intelligence feeds to recognize patterns associated with exploits targeting these vulnerabilities. Public proof-of-concept code can be integrated into automated attack tools, making monitoring crucial. 4. Strengthen Network Segmentation Limit network access to management interfaces like OneView to trusted administrative zones, reducing the attack surface. Proper segmentation can contain malicious actors if other defenses fail. 5. Review Patch Management Processes Ensure patch cycles are frequent and risk-driven, not merely calendar-based. Vulnerabilities actively exploited in the wild should take precedence over routine updates. The Bottom Line CISA’s decision to flag both a modern critical flaw in HPE OneView and a long-standing Microsoft Office vulnerability reinforces that cyber risk spans the entire technology lifecycle — from recently deployed systems to software released decades ago. The KEV catalog additions serve as both a warning and a guidepost for cybersecurity teams globally to reassess priorities, harden defenses, and apply patches faster than ever before. In an era where threat actors rapidly weaponize vulnerabilities, waiting for the next Patch Tuesday or a quarterly maintenance window can leave organizations dangerously exposed. Proactive patching, robust monitoring, and disciplined vulnerability management remain essential defenses against the evolving landscape of active exploitation threats. Post navigation Coolify Discloses 11 Critical Flaws That Could Lead to Full Server Compromise on Self-Hosted Instances — Immediate Patching Urged Black Cat Behind SEO Poisoning Malware Campaign Targeting Popular Software Searches
