Ethical Hacking News
The U.S. Cybersecurity Landscape Takes a Critical Turn: HPE OneView and Microsoft Office PowerPoint Flaws Added to Known Exploited Vulnerabilities Catalog
In a move aimed at bolstering the nation's cybersecurity posture, CISA has added two high-profile vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. The added flaws pertain to Microsoft Office PowerPoint and Hewlett Packard Enterprise OneView software, highlighting the need for organizations and individuals alike to take proactive steps towards securing their systems.
CISA has added two high-profile vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, CVE-2009-0556 and CVE-2025-37164. CVE-2009-0556 is a memory corruption flaw in legacy Microsoft PowerPoint that allows attackers to execute arbitrary code via a crafted .ppt file. The vulnerability has been exploited in the wild since April 2009, affecting PowerPoint 2000/2002/2003 and Office 2004 for Mac. CVE-2025-37164 is a maximum-severity security flaw that allows an attacker to achieve remote code execution on HPE OneView Software. Experts advise reviewing the KEV catalog, assessing infrastructure, and addressing vulnerabilities at the earliest opportunity. Keeping software up-to-date, implementing robust security measures, and staying vigilant against emerging threats are crucial components of an effective cybersecurity strategy.
U.S. Cybersecurity and Infrastructure Security Agency (CISA) has taken significant steps in bolstering the nation's cybersecurity posture by adding two high-profile vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. The added flaws, namely CVE-2009-0556 and CVE-2025-37164, pertain to Microsoft Office PowerPoint and Hewlett Packard Enterprise OneView software, respectively.
The first vulnerability, CVE-2009-0556, is a memory corruption flaw in legacy Microsoft PowerPoint that allows attackers to execute arbitrary code via a crafted .ppt file. An invalid index in the OutlineTextRefAtom triggers improper memory handling when the file is opened. Exploited in the wild in April 2009 (Exploit:Win32/Apptom.gen), it affects PowerPoint 2000/2002/2003 and Office 2004 for Mac, enabling full compromise with user privileges.
This vulnerability has been a concern for quite some time now, and its inclusion in the KEV catalog serves as a stark reminder of the importance of keeping software up to date. Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3, and PowerPoint in Microsoft Office 2004 for Mac, allow remote attackers to execute arbitrary code via a PowerPoint file with an OutlineTextRefAtom containing an invalid index value that triggers memory corruption.
In stark contrast, the second vulnerability, CVE-2025-37164, is a maximum-severity security flaw tracked as CVSS 10.0 in OneView Software. An attacker can exploit this flaw to achieve remote code execution. HPE OneView is an integrated IT management and automation platform by Hewlett Packard Enterprise used to manage, monitor, and automate HPE data center infrastructure.
It provides a single, software-defined interface to control servers, storage, and networking, mainly in HPE environments (e.g., ProLiant servers and Synergy systems). The identified vulnerability has been described as potential security vulnerability that could be exploited by a remote unauthenticated user to perform remote code execution. This vulnerability impacts all versions through v10.20.
Experts and federal agencies are advised to review the Catalog, assess their infrastructure, and address the vulnerabilities at the earliest opportunity. CISA's Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities emphasizes the importance of addressing these identified vulnerabilities by their respective due dates in order to protect their networks against attacks exploiting these flaws.
In light of this critical turn in the U.S. cybersecurity landscape, it is imperative for organizations and individuals alike to take proactive steps towards securing their systems. Keeping software up-to-date, implementing robust security measures, and staying vigilant against emerging threats are essential components of an effective cybersecurity strategy.
Furthermore, it is worth noting that the inclusion of these vulnerabilities in the KEV catalog underscores the importance of continued vigilance and proactive measures in maintaining the nation's cybersecurity posture. As CISA continues to work towards enhancing the resilience of U.S. critical infrastructure, it is crucial that all stakeholders remain aware of emerging threats and take swift action to address them.
The United States' commitment to a robust and resilient cybersecurity ecosystem can only be achieved through collective efforts and ongoing vigilance. In this context, the addition of HPE OneView and Microsoft Office PowerPoint flaws to the KEV catalog serves as a stark reminder of the ever-evolving threat landscape and the need for unwavering dedication to cybersecurity excellence.
Related Information:
https://www.ethicalhackingnews.com/articles/The-US-Cybersecurity-Landscape-Takes-a-Critical-Turn-HPE-OneView-and-Microsoft-Office-PowerPoint-Flaws-Added-to-Known-Exploited-Vulnerabilities-Catalog-ehn.shtml
https://securityaffairs.com/186672/security/u-s-cisa-adds-hpe-oneview-and-microsoft-office-powerpoint-flaws-to-its-known-exploited-vulnerabilities-catalog.html
https://nvd.nist.gov/vuln/detail/CVE-2009-0556
https://www.cvedetails.com/cve/CVE-2009-0556/
https://nvd.nist.gov/vuln/detail/CVE-2025-37164
https://www.cvedetails.com/cve/CVE-2025-37164/
Published: Thu Jan 8 05:09:05 2026 by llama3.2 3B Q4_K_M
