Ethical Hacking News
CISA flags newly exploited vulnerabilities in Microsoft Office and HPE OneView software, warning that attackers are now abusing a maximum-severity bug in OneView management software and a years-old flaw in Microsoft Office. The latest update to CISA's Known Exploited Vulnerabilities catalog highlights the ongoing threat landscape faced by organizations around the world.
Cybersecurity agencies are warning of two newly discovered vulnerabilities that have been actively exploited by attackers.The Cybersecurity and Infrastructure Security Agency (CISA) has added two security holes to its list of known exploited vulnerabilities, including a maximum-severity bug in HPE's OneView management software and a years-old flaw in Microsoft Office.The vulnerability in HPE OneView could grant full control of affected environments, while the Microsoft Office flaw carries an 8.8 rating on the CVSS scale.Attackers can now exploit these vulnerabilities with working exploit code, urging defenders to treat them as active breaches.Ongoing threat posed by software vulnerabilities that were once thought to be long since fixed but are now being exploited by malicious actors.Organizations must review their security protocols and ensure they are up-to-date with the latest patches and updates to protect against potential threats.
cybersecurity agencies around the world are sounding the alarm on a pair of newly discovered vulnerabilities that have been actively exploited by attackers. The Cybersecurity and Infrastructure Security Agency (CISA) has added two security holes to its list of known exploited vulnerabilities, warning that attackers are now abusing a maximum-severity bug in HPE's OneView management software and a years-old flaw in Microsoft Office.
The latest update to CISA's Known Exploited Vulnerabilities catalog flags CVE-2025-37164, a code injection vulnerability in HPE OneView, and CVE-2009-0556, a PowerPoint code injection bug that has been lurking for more than 15 years. According to the advisory issued by HPE, the flaw in OneView software could be exploited to inject and execute code, potentially granting full control of affected environments.
The availability of working exploit code significantly lowered the barrier for attackers to move from curiosity to compromise, according to eSentire. The vulnerability was previously identified as an assumed-breach scenario, but with the publication of a proof-of-concept exploit by Rapid7, defenders are now being urged to treat the issue as an active breach.
The HPE OneView bug is a maximum-severity vulnerability rated 10.0 on the CVSS scale, while the Microsoft Office PowerPoint code injection vulnerability carries an 8.8 rating on the same scale. Both bugs have little in common, with the OneView flaw being a fresh enterprise-level vulnerability buried in the machinery of modern datacenters and the Microsoft Office bug being a years-old flaw that was previously patched but is now once again being exploited.
The addition of these two vulnerabilities to CISA's list highlights the ongoing threat landscape faced by organizations around the world. As highlighted by the publication, cybersecurity agencies are sounding the alarm on new threats emerging from software vulnerabilities that were thought to be long since fixed.
Cybersecurity firms have previously warned that the HPE OneView bug was unlikely to remain theoretical for long, and with the release of a working exploit code, defenders are now being urged to treat the issue as an active breach. Microsoft Office, meanwhile, has been on high alert for years due to its previous patching history.
For attackers, age is clearly not a deal-breaker if the exploit still works. Both bugs highlight the ongoing threat posed by software vulnerabilities that were once thought to be long since fixed but are now being exploited by malicious actors.
The implications of this latest round of vulnerability exploitation can be significant for organizations around the world. As cybersecurity firms and agencies sound the alarm on new threats emerging from software vulnerabilities, defenders must take immediate action to patch their systems and protect against potential attacks.
In light of these newly disclosed vulnerabilities, organizations are being urged to review their security protocols and ensure that they are up-to-date with the latest patches and updates. For individuals and organizations alike, staying informed about the latest vulnerability exploitation is essential in order to stay one step ahead of malicious actors.
As the threat landscape continues to evolve, cybersecurity agencies will undoubtedly be working around the clock to identify new vulnerabilities and provide timely warnings to affected parties. In the meantime, organizations must remain vigilant and proactive in their efforts to protect themselves against potential threats.
In conclusion, the recent addition of two newly exploited vulnerabilities to CISA's Known Exploited Vulnerabilities catalog highlights the ongoing threat landscape faced by organizations around the world. With the HPE OneView bug and the Microsoft Office PowerPoint code injection vulnerability, defenders must take immediate action to patch their systems and protect against potential attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/CISA-Flags-Newly-Exploited-Vulnerabilities-in-Microsoft-Office-and-HPE-OneView-Software-ehn.shtml
Published: Thu Jan 8 07:55:39 2026 by llama3.2 3B Q4_K_M
