CISA Adds CVE-2009-0556 PowerPoint and CVE-2025-37164 OneView to KEV Catalog

CISA has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog — an archival Microsoft PowerPoint code-injection flaw (CVE-2009-0556) and a newly disclosed, critical HPE OneView code-injection/remote-code-execution vulnerability (CVE-2025-37164) — citing evidence of active exploitation and urging immediate remediation across affected environments.

Background​

The Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (KEV) Catalog is a prioritized list of CVEs that CISA has determined are actively exploited in the wild. The Catalog is the enforcement anchor for Binding Operational Directive BOD 22‑01, the federal mandate that requires Federal Civilian Executive Branch (FCEB) agencies to remediate KEV-listed vulnerabilities by the due date shown in each KEV entry. While BOD 22‑01 applies formally to federal agencies, CISA’s public advisories also function as a de‑facto alerting mechanism for private-sector defenders and security operations teams.
KEV additions typically follow confirmed evidence of exploitation or credible reports of active adversary abuse. The Catalog covers everything from legacy desktop applications to modern infrastructure controllers. Because the KEV list is a living document, it sometimes includes older CVEs when threat intelligence indicates attackers have resumed exploiting long-known weaknesses in environments that remain unpatched.

---

What was added and why it matters​

• CVE-2009-0556 — Microsoft Office PowerPoint Code Injection Vulnerability
  This is a memory‑corruption/code‑injection vulnerability originally disclosed in 2009. Microsoft published security updates at the time because targeted attacks were observed in the wild. CISA’s decision to add CVE‑2009‑0556 to the KEV Catalog reflects current evidence that adversaries are again leveraging this legacy PowerPoint flaw against unpatched or out‑of‑support systems still present in some networks.
• CVE-2025-37164 — HPE OneView Code Injection / Remote Code Execution Vulnerability
  This is a critical, unauthenticated code‑injection flaw in HPE OneView that allows remote attackers to execute arbitrary code. Reports from multiple security vendors and HPE advisories indicate the vulnerability affects OneView versions prior to a fixed release (upgrade path to 11.0 or vendor hotfixes) and that a PoC/exploit exists. Because OneView orchestrates servers, firmware and hardware configuration at scale, a compromise here can have immediate, far‑reaching effects on datacenter infrastructure.

Both vulnerability classes — legacy Office document exploitation and remote code execution in infrastructure management software — are well‑known, high‑value targets for ransomware groups, espionage actors, and supply‑chain attackers. The KEV addition signals urgency: defenders should treat these as active threats, not mere patching housekeeping.

---

Overview: KEV, BOD 22‑01 and operational impact​

How CISA’s KEV Catalog is used​

• The KEV Catalog lists CVEs CISA believes are being exploited in the wild.
• Each KEV entry includes a due date by which federal agencies must complete remediation or implement compensating controls, per BOD 22‑01.
• The directive is intentionally aggressive: it forces agencies to prioritize fixes, and private-sector organizations are strongly urged to follow those timelines.

Why KEV matters to enterprise defenders​

• KEV items are top priority — they carry evidence of active exploitation.
• Attackers often chain KEV‑listed flaws with lateral‑movement and privilege‑escalation techniques to reach high-value targets.
• Inclusion in KEV places operational pressure on SOCs to identify affected assets fast and deploy mitigations promptly.

---

Deep dive: CVE‑2009‑0556 (Microsoft PowerPoint)​

Technical summary​

CVE‑2009‑0556 is a memory‑corruption vulnerability in Microsoft Office PowerPoint that can be triggered by opening a specially crafted PowerPoint file. Historically, exploitation required user interaction — typically opening an attachment or viewing a file delivered via a web link. The root cause involves improper validation of certain PowerPoint file record fields (OutlineTextRefAtom index values), leading to memory corruption and the ability to execute arbitrary code.

Affected products and scope​

• The original advisories identified older PowerPoint versions (circa 2000–2007 era) and related viewers as vulnerable.
• Modern, supported Microsoft 365/Office versions have long received mitigations for the underlying issues; however, legacy systems, outdated viewers, and isolated environments (air‑gapped devices, older virtualization images, long‑running automation hosts) may still run copies susceptible to the original exploit vector.

Why an old CVE is back in the spotlight​

• Many organizations still operate legacy endpoints and services for compatibility reasons; attackers repeatedly hunt for such targets.
• Document‑based delivery remains a low‑cost, effective initial access technique — especially via phishing and lure documents.
• CISA’s inclusion implies fresh operational telemetry indicating renewed exploitation, likely targeting older or improperly hardened endpoints.

Recommended mitigations for administrators​

• Inventory assets and identify hosts still running unsupported Office or legacy PowerPoint viewers.
• Apply vendor patches where available; if supported versions remain vulnerable, upgrade to supported Office builds.
• Where upgrade isn’t immediately feasible, implement compensating controls:
• Block or quarantine common document delivery vectors (e.g., restrict PowerPoint file types at mail gateways).
• Enforce macro and OLE object restrictions, disable outdated viewers, and use application allow lists.
• Deploy robust EDR/endpoint detection rules tuned for exploitation patterns and suspicious child processes spawned by Office apps.
• Conduct targeted phishing‑simulation and user awareness training to reduce successful lure attacks.

---

Deep dive: CVE‑2025‑37164 (HPE OneView) — why this one is different​

Technical summary and severity​

CVE‑2025‑37164 is described as a code injection / remote code execution vulnerability in HPE OneView that can be exploited without authentication. Reports indicate the vulnerability affects OneView versions prior to a vendor‑released fixed version (11.0 or a hotfix), and that the issue stems from insufficient input validation in OneView’s REST APIs (reported targets include id‑pools and related endpoints). Multiple vendors assigned a maximum severity (CVSS 10.0) given the unauthenticated RCE nature and the systemic impact of OneView compromise.

Why OneView is a high‑value target​

• Centralized control: OneView manages firmware, boot order, network configurations, and hardware state across many hosts. An attacker with RCE here can persist at the infrastructure layer, install backdoors into firmware, and reconfigure hardware in ways that are difficult for traditional OS‑level security tools to detect.
• Blast radius: Because OneView can orchestrate many servers, compromise of a single management instance can lead to wide lateral propagation and supply‑chain style impact inside a data center.
• Low friction exploit: Reports indicate unauthenticated exploitation is possible, and PoC code has been discussed in the wild, raising exploitation probability.

Confirmed availability of patches and mitigating actions​

• HPE has published advisories and a patch/upgrade path; vendors in this position usually recommend immediate upgrades to a fixed release and have provided hotfixes for critical cloud or virtual appliance deployments.
• No robust workarounds appear to exist — the recommended approach is to apply vendor hotfixes or upgrade to the fixed version.
• Where immediate patching is operationally difficult, administrators should:
• Isolate OneView appliances from public networks and limit management access to trusted administration VLANs.
• Restrict API access with network ACLs and require administrative sessions to originate from jump hosts with strong MFA.
• Monitor OneView logs and network telemetry for suspicious API calls and unexpected configuration changes.

---

Operational playbook — what to do now (prioritized, actionable steps)​

• Establish a focused incident response team for KEV remediation and threat hunting.
• Rapid asset discovery: enumerate all instances of OneView, all PowerPoint viewers and legacy Office installations, and identify internet‑exposed management interfaces.
• Apply vendor updates immediately:
• Upgrade HPE OneView to the fixed version (or apply vendor hotfix).
• Apply available Microsoft updates or remove legacy PowerPoint viewers from production endpoints.
• If patches cannot be applied immediately, implement compensating controls:
• Network isolation and microsegmentation for management consoles.
• Block inbound access to OneView management ports at perimeter devices; enforce allow‑lists.
• Email gateway rules to block/strip PowerPoint attachments from unknown senders; sandbox suspicious documents.
• Hunt and investigate:
• Check EDR for indicators of exploitation: unexpected child processes from PowerPoint, suspicious HTTP API calls to OneView, or anomalous firmware/update activity.
• Review authentication logs and change history in OneView for unauthorized changes.
• Backups and recovery:
• Verify recent backups and test restores for affected systems; maintain air‑gapped backups where feasible.
• Communicate:
• Notify executive leadership and third‑party vendors where impacted.
• For federal agencies, track remediation progress per BOD 22‑01 reporting rules.
• Post‑remediation validation:
• Re‑scan the environment with an authoritative vulnerability scanner and ensure KEV‑listed CVEs are no longer present.
• Re‑baseline detection rules and adjust monitoring for future related attempts.

---

Strategic analysis: strengths, risks and unintended consequences​

Strengths of CISA’s KEV process​

• Prioritization clarity: KEV forces organizations to treat certain flaws as immediate priorities, reducing ambiguity for busy security teams.
• Timeliness: By adding vulnerabilities based on active exploitation telemetry, KEV helps channel scarce patching resources to the highest‑risk issues.
• Public pressure on vendors: KEV listings shine a spotlight on vendor patching timeliness and may accelerate hotfix development and dissemination.

Risks and practical challenges​

• Operational friction: Immediate remediation demands can cause downtime, especially when fixes require major version upgrades, reboots, or rolling out hotfixes to clustered controllers.
• Legacy technical debt: Some organizations maintain legacy Office installations and embedded systems that cannot be upgraded quickly, leaving them trapped between operational needs and security obligations.
• False sense of completeness: KEV focuses on exploited CVEs; not being in KEV doesn’t mean a vulnerability is low risk. Organizations can be misled if they treat KEV as the only source of truth.
• Exploitation disclosure risk: Publishing that a CVE is actively exploited (without disclosing full details) can both help defenders and potentially spur further attacker interest. There is a delicate balance between transparency and fueling exploit development.

Specific concerns about these two vulnerabilities​

• Adding a 2009 Office CVE to KEV underlines how attackers exploit legacy software — an ongoing structural weakness for many enterprises. The presence of such legacy footprints is both a security and asset‑management failure.
• The OneView flaw is emblematic of a larger trend: attackers increasingly focus on orchestration and infrastructure management platforms because they offer high leverage. Compromise at this layer can evade endpoint security and persist very effectively.

---

Tactical recommendations for security leaders​

• Treat infrastructure management consoles (OneView, iLO, iDRAC, HPE Synergy Composer, etc. as crown‑jewel assets; adopt zero‑trust controls and strict network segmentation.
• Maintain an accurate, up‑to‑date asset inventory that includes versions, management endpoints, and internet exposure.
• Operationalize patch risk analysis: test patches in staging, but have an expedited path for emergency deployment when KEV entries indicate active exploitation.
• Invest in compensating controls: network ACLs, jump hosts, MFA, strong logging and alerting on config changes, and immutable audit trails for orchestration platforms.
• For legacy desktop ecosystems, consider removing unsupported viewers and enforcing document security policies: sandboxing, attachment stripping, and disabling legacy file formats where practicable.

---

What defenders should expect next​

• Increased KEV churn: expect CISA to continue adding both newly discovered exploited vulnerabilities and older, resurfacing issues. Attackers opportunistically pivot to any unpatched attack surface.
• More public PoCs and exploit write‑ups: high‑severity flaws like the OneView RCE will attract proof‑of‑concept development; defenders must assume PoC code will be weaponized rapidly.
• Greater pressure on vendor security lifecycle: hardware and orchestration vendors will face scrutiny to produce timely mitigations and clear upgrade paths for large, heterogenous customer bases.

---

Caveats and unverifiable elements​

• The KEV listing confirms evidence of exploitation, but public sources rarely quantify scope — how many organizations or which specific victims were affected. The scale of exploitation for these two CVEs is not publicly verifiable beyond CISA’s statement and vendor advisories.
• For CVE‑2009‑0556, past exploitation is historically documented; CISA’s current addition signals renewed activity, yet the frequency and targets of that renewed activity are not fully public.
• For CVE‑2025‑37164 (HPE OneView), multiple security vendors report PoC availability and high impact. The presence of proof‑of‑concept code increases risk, but whether large‑scale exploitation has occurred is often only confirmed later through forensic disclosures or coordinated incident reporting.

Where public reporting is incomplete, defenders must operate on a risk‑management posture that presumes likely exploitation and prioritize containment and hardening accordingly.

---

Final assessment​

CISA’s addition of CVE‑2009‑0556 and CVE‑2025‑37164 to the KEV Catalog is a stark reminder of two enduring truths in modern cybersecurity: attackers will recycle old vulnerabilities where defenders carry technical debt, and they will relentlessly target orchestration and management layers for maximum impact. The combination of a legacy Office document exploit and an unauthenticated RCE in an infrastructure controller represents a one‑two punch: easy initial access via documents and a high‑value pivot point in the datacenter.
Security teams must move fast: inventory, isolate, patch, and hunt. Where immediate patching is impossible, implement compensating controls and devote continuous monitoring to the affected assets. Organizations that treat KEV listings as optional reading rather than operational mandates risk rapid compromise and long, painful recovery cycles.
The immediate, practical takeaway is simple: assume active adversary interest; treat both KEV entries as emergency tickets; and apply vendor mitigations and network protections now.

---

Source: CISA CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA