The U.S. Cybersecurity and Infrastructure Security Agency has expanded its list of actively exploited vulnerabilities to include a critical flaw in HPE OneView and a legacy memory corruption issue in Microsoft Office PowerPoint. These additions require federal agencies to prioritize patching to prevent potential remote code execution and unauthorized access within their networks.

The inclusion of these specific vulnerabilities in the Known Exploited Vulnerabilities catalog highlights a persistent threat landscape that spans both modern infrastructure management tools and legacy productivity software. By mandating a response to these flaws, CISA aims to close security gaps that are already being leveraged by malicious actors in real-world attacks. The directive serves as a formal requirement for federal civilian agencies, though security experts emphasize that private sector organizations should also treat these updates as high priorities for their own defense.

The most critical of the two additions is CVE-2025-37164, a vulnerability in Hewlett Packard Enterprise OneView that carries a maximum severity score of 10.0. This flaw represents a significant risk because OneView is used to manage and automate entire data center environments, including servers, storage, and networking hardware. Because the vulnerability allows unauthenticated attackers to execute code remotely, it provides a direct path for hackers to gain total control over an organization’s underlying IT infrastructure across all versions up to 10.20.

In contrast, the Microsoft PowerPoint flaw, identified as CVE-2009-0556, demonstrates the longevity of certain cyber threats despite the age of the software involved. This memory corruption issue is triggered when a user opens a specially crafted presentation file containing an invalid index. Although the vulnerability was first observed in the wild over a decade ago affecting versions like PowerPoint 2000 and 2003, its recent inclusion in the catalog suggests that legacy systems remaining in use continue to be viable targets for exploitation.

Federal Civilian Executive Branch agencies are now bound by specific deadlines to mitigate these risks as part of a broader strategy to reduce the national attack surface. This process involves identifying any instances of the affected software within their environments and applying the necessary security updates or configuration changes provided by the vendors. Failure to address these vulnerabilities by the designated due dates could leave government networks exposed to well-documented exploitation techniques that lead to full system compromise.

While the primary mandate applies to government entities, the broader cybersecurity community views these catalog updates as essential intelligence for risk management. Organizations are encouraged to review their internal assets for any presence of HPE OneView or older Microsoft Office installations that might still be active. Proactively addressing these known vulnerabilities is considered a fundamental practice in maintaining a resilient security posture against both opportunistic and targeted cyber threats.

Source: CISA Adds HPE Oneview And Microsoft Powerpoint Flaws To Exploited List