Full Report
Max-severity OneView hole joins a PowerPoint bug that should've been retired years ago CISA has added a pair of security holes to its actively exploited list, warning that attackers are now abusing a maximum-severity bug in HPE's OneView management software and a years-old flaw in Microsoft Office.…
Analysis Summary
# Vulnerability: Active Exploitation of HPE OneView RCE and Legacy MS Office Flaw
## CVE Details
- CVE ID: CVE-2025-37164
- CVSS Score: 10.0 (Critical)
- CWE: Not specified in detail, but described as code injection.
- CVE ID: CVE-2009-0556
- CVSS Score: 8.8 (High)
- CWE: Memory Corruption (Implied by description: "memory corruption when a user opens a specially crafted PowerPoint file.")
## Affected Systems
- **Products:** HPE OneView (for CVE-2025-37164); Microsoft Office PowerPoint (for CVE-2009-0556).
- **Versions:** Specific vulnerable versions for CVE-2025-37164 are not listed in the summary, but it affects the management software.
- **Configurations:** Exploitation for CVE-2009-0556 requires the user to open a specially crafted PowerPoint file.
## Vulnerability Description
**CVE-2025-37164 (HPE OneView):** A maximum-severity code injection vulnerability in HPE OneView management software. Successful exploitation allows an attacker to inject and execute code, potentially leading to full control over affected environments (servers, storage, and networking gear managed by OneView).
**CVE-2009-0556 (MS Office):** A code injection vulnerability in Microsoft Office PowerPoint. It allows remote attackers to execute arbitrary code due to memory corruption when a user opens a malicious presentation file.
## Exploitation
- **Status (CVE-2025-37164):** Exploited in the wild (Added to CISA KEV catalog). PoC has been published (by Rapid7).
- **Status (CVE-2009-0556):** Actively exploited (Added to CISA KEV catalog), despite being patched over 15 years ago.
- **Complexity (CVE-2025-37164):** Implied Low due to public PoC, suggesting an assumed-breach scenario.
- **Complexity (CVE-2009-0556):** Implied Low, as simple action (opening a file) leads to execution.
- **Attack Vector:** Network (for both, based on remote code execution potential).
## Impact
| Vulnerability | Confidentiality | Integrity | Availability |
| :--- | :--- | :--- | :--- |
| **CVE-2025-37164** | High (Potential full control) | High (Potential full control) | High (Potential full control) |
| **CVE-2009-0556** | High (Arbitrary code execution) | High (Arbitrary code execution) | High (Arbitrary code execution) |
## Remediation
### Patches
- **CVE-2025-37164:** Refer to the HPE December 18 advisory for specific patch information (Advisory ID: hpesbgn04985en_us).
- **CVE-2009-0556:** Patched previously by Microsoft as part of security bulletin **MS09-017**. Systems still vulnerable require updating to the patched version.
### Workarounds
- No specific workarounds were detailed in the provided context, beyond applying vendor patches. For CVE-2009-0556, strict control over opening suspicious files is critical.
## Detection
- **Indicators of Compromise:** Relevant IOCs are likely tied to successful exploitation of CVE-2025-37164 resulting in code execution within the HPE OneView environment.
- **Detection Methods and Tools:** Monitor HPE OneView management infrastructure for unexpected process execution or configuration changes indicative of RCE. For CVE-2009-0556, file inspection logs for crafted PowerPoint files are relevant.
## References
- CISA Known Exploited Vulnerabilities Catalog (Check CISA for latest updates: cisa.gov/news-events/alerts/2026/01/07/cisa-adds-two-known-exploited-vulnerabilities-catalog)
- HPE Advisory: support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04985en_us&docLocale=en_US
- eSentire Advisory: esentire.com/security-advisories/poc-released-for-hpe-oneview-vulnerability-cve-2025-37164
- Microsoft Security Bulletin (2009): learn.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-017