Ethical Hacking News
Two security flaws in Microsoft Office and HPE OneView have been identified by CISA, citing evidence of active exploitation. Organizations are advised to apply updates immediately to mitigate the potential risk of attack.
CISA has issued a warning about two security vulnerabilities in Microsoft Office and HPE OneView. The vulnerabilities, CVE-2009-0556 and CVE-2025-37164, allow remote attackers to execute arbitrary code and have high-severity scores of 8.8 and 10.0 respectively. Organizations are advised to apply updates immediately to mitigate the potential risk of attack. CISA recommends that FCEB agencies apply fixes by January 28, 2026, to secure their networks against active threats.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about two security vulnerabilities affecting Microsoft Office and Hewlett Packard Enterprise (HPE) OneView, citing evidence of active exploitation. This alert comes as the threat landscape continues to evolve, with new attacks emerging daily.
According to CISA, the vulnerabilities are listed below:
CVE-2009-0556 - A code injection vulnerability in Microsoft Office PowerPoint that allows remote attackers to execute arbitrary code by means of memory corruption. The CVSS score for this vulnerability is 8.8, indicating a high level of severity and risk.
CVE-2025-37164 - A code injection vulnerability in HPW OneView that allows a remote unauthenticated user to perform remote code execution. The CVSS score for this vulnerability is 10.0, making it one of the most severe vulnerabilities reported by CISA recently. The scope and source of the attacks targeting these two flaws are presently unclear, and there appear to be no public reports referencing their exploitation in the wild.
However, a report from eSentire on December 23, 2025, revealed the release of a detailed proof-of-concept (PoC) exploit for CVE-2025-37164. This public availability of PoC exploit code significantly increases the risk to organizations running affected versions of the application. As the vulnerability impacts all versions prior to 11.0, organizations are strongly advised to apply the required updates to mitigate the potential risk of exploitation.
In addition to these vulnerabilities, CISA has recommended that Federal Civilian Executive Branch (FCEB) agencies apply the necessary fixes by January 28, 2026, to secure their networks against active threats. This directive is pursuant to Binding Operational Directive (BOD) 22-01, which aims to enhance the security posture of federal agencies.
As the threat landscape continues to evolve, it's essential for organizations and individuals to remain vigilant and take proactive measures to protect themselves from cyber threats. In this context, applying timely updates and patches can be a crucial step in preventing exploitation of known vulnerabilities.
Furthermore, the emergence of new attack vectors highlights the importance of adopting a zero-trust security approach. This involves continuously monitoring networks, systems, and applications for signs of malicious activity, as well as implementing robust security controls to prevent unauthorized access.
In conclusion, CISA's recent alert about the Microsoft Office vulnerabilities and HPE OneView flaw underscores the ongoing threat landscape and the need for organizations to prioritize cybersecurity. By applying timely updates and patches, adopting a zero-trust approach, and staying informed about emerging threats, individuals and organizations can significantly reduce their risk of falling victim to cyber attacks.
Two security flaws in Microsoft Office and HPE OneView have been identified by CISA, citing evidence of active exploitation. Organizations are advised to apply updates immediately to mitigate the potential risk of attack.
Related Information:
https://www.ethicalhackingnews.com/articles/CISA-Flags-Two-Microsoft-Office-Vulnerabilities-and-HPE-OneView-Flaw-Amidst-Rising-Cyber-Threat-Landscape-ehn.shtml
https://thehackernews.com/2026/01/cisa-flags-microsoft-office-and-hpe.html
https://nvd.nist.gov/vuln/detail/CVE-2009-0556
https://www.cvedetails.com/cve/CVE-2009-0556/
https://nvd.nist.gov/vuln/detail/CVE-2025-37164
https://www.cvedetails.com/cve/CVE-2025-37164/
Published: Wed Jan 7 23:52:26 2026 by llama3.2 3B Q4_K_M
