Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added two security flaws impacting Microsoft Office and Hewlett Packard Enterprise (HPE) OneView to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerabilities are listed below - CVE-2009-0556 (CVSS score: 8.8) - A code injection vulnerability in Microsoft Office
Analysis Summary
# Vulnerability: Microsoft Office Code Injection (CVE-2009-0556) & HPE OneView RCE (CVE-2025-37164)
## CVE Details
- CVE ID: CVE-2009-0556
- CVSS Score: 8.8 (High)
- CWE: (Not Explicitly Specified, but context implies Code Injection/Memory Corruption)
---
## CVE Details (Secondary Vulnerability noted in context for completeness)
- CVE ID: CVE-2025-37164
- CVSS Score: 10.0 (Critical)
- CWE: (Not Explicitly Specified, but context implies Remote Code Execution)
## Affected Systems
- Products: Microsoft Office (specifically PowerPoint mentioned), Hewlett Packard Enterprise (HPE) OneView
- Versions:
- CVE-2009-0556: Specific vulnerable versions of Microsoft Office are not detailed in the summary, but the associated bulletin is MS09-017.
- CVE-2025-37164: All versions of HPE OneView prior to version 11.00.
- Configurations: N/A
## Vulnerability Description
**CVE-2009-0556:** This is a code injection vulnerability within Microsoft Office PowerPoint. Successful exploitation relies on memory corruption to allow remote attackers to execute arbitrary code.
**CVE-2025-37164:** This is a code injection vulnerability in HPE OneView allowing a remote, unauthenticated user to achieve Remote Code Execution (RCE).
## Exploitation
- Status:
- CVE-2009-0556: Listed on KEV catalog, implying active exploitation, though exploitation status is not detailed further.
- CVE-2025-37164: CISA added to KEV catalog. While the scope and source of attacks are unclear, a detailed Proof-of-Concept (PoC) was publicly released by eSentire on December 23, 2025, significantly increasing risk.
- Complexity: Unknown/Not specified for CVE-2009-0556. Medium to High for CVE-2025-37164 due to PoC release.
- Attack Vector: Likely Network/Remote for both, given the description of remote attackers/unauthenticated access.
## Impact
*Note: Impact levels are inferred based on the vulnerability type (Code Injection/RCE combined with KEV listing).*
- Confidentiality: High (Arbitrary Code Execution)
- Integrity: High (Arbitrary Code Execution)
- Availability: High (Potential for system compromise/disruption)
## Remediation
### Patches
- **CVE-2009-0556:** Reference Microsoft Security Bulletin MS09-017 for specific patch details.
- **CVE-2025-37164:** HPE has made available hotfixes for HPE OneView versions 5.20 through 10. Organizations must update to version 11.00 or later to fully mitigate the risk.
### Workarounds
- No specific workarounds are mentioned in the provided text, however, immediate patching per vendor guidance is strongly advised. (For CVE-2025-37164, upgrading past vulnerable versions is the primary advice).
## Detection
- Detection indicators are not specified in the provided text, but organizations should monitor file processing events related to Office documents (for CVE-2009-0556) and network traffic/API calls to HPE OneView instances for anomalous activity indicative of RCE attempts targeting the specific version flaws.
- Mitigation Strategy (for FCEB agencies): Apply fixes by January 28, 2026 (per CISA BOD 22-01).
## References
- Vendor Advisory (CVE-2009-0556): hxxps://learn.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-017
- CISA KEV Addition: hxxps://www.cisa.gov/news-events/alerts/2026/01/07/cisa-adds-two-known-exploited-vulnerabilities-catalog
- CVE 2009-0556 Record: hxxps://www.cve.org/CVERecord?id=CVE-2009-0556
- CVE 2025-37164 Record: hxxps://www.cve.org/CVERecord?id=CVE-2025-37164
- CISA BOD 22-01: hxxps://www.cisa.gov/binding-operational-directive-22-01