The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a serious warning about two software vulnerabilities that are currently being exploited by attackers. These flaws affect Microsoft Office and HPE OneView, two widely used enterprise technologies. Because there is confirmed evidence of active attacks, CISA has added both issues to its Known Exploited Vulnerabilities (KEV) catalog. This signals an immediate risk that organizations should not ignore.
The KEV catalog is maintained by CISA to highlight vulnerabilities that are not just theoretical but are already being used in real-world cyberattacks. When a flaw appears on this list, it means attackers have found ways to exploit it successfully. CISA expects organizations to treat KEV-listed issues as high priority. Quick action can prevent data breaches, service outages, and larger security incidents.
One of the vulnerabilities affects Microsoft Office PowerPoint and is tracked as CVE-2009-0556. This flaw allows attackers to inject and execute malicious code through specially crafted PowerPoint files. If a victim opens such a file, the attacker may gain control over the system. This can lead to malware installation, data theft, or further compromise of the device.
The second vulnerability is even more critical and affects Hewlett Packard Enterprise OneView, identified as CVE-2025-37164. HPE OneView is used by many organizations to manage servers and infrastructure from a central platform. The flaw allows remote code execution without requiring user authentication. This means an attacker could take control of critical systems from outside the network.
These vulnerabilities are especially dangerous because they allow remote code execution. In simple terms, this gives attackers the ability to run their own commands on a targeted system. Once access is gained, attackers may deploy ransomware, steal sensitive information, or disrupt business operations. The impact can be severe, particularly in enterprise and government environments.
The risk increased further after technical exploit details for the HPE OneView vulnerability became publicly available. When such information is released, even less-skilled attackers can attempt to use it. This makes unpatched systems easy targets. CISA added the vulnerability to the KEV catalog to highlight the growing threat and urgency of mitigation.
CISA has directed U.S. federal agencies to apply fixes for both vulnerabilities by January 28, 2026. While this deadline is mandatory for government bodies, private organizations are also strongly advised to follow it. Delaying patches increases the likelihood of successful attacks. Vendors have already released updates to address both issues.
To stay protected, organizations should immediately apply the latest security patches from Microsoft and HPE. Systems running older versions of HPE OneView must be upgraded or hotfixed without delay. Network access to management tools should be restricted, and security teams should monitor for unusual activity. Acting quickly now can prevent serious damage later.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
