CISA flags actively exploited Office relic alongside fresh HPE flaw

CISA has added a pair of security holes to its actively exploited list, warning that attackers are now abusing a maximum-severity bug in HPE's OneView management software and a years-old flaw in Microsoft Office.

The latest update to CISA's Known Exploited Vulnerabilities catalog flags CVE-2025-37164, a code injection vulnerability in HPE OneView, and CVE-2009-0556, a PowerPoint code injection bug that's been lurking for more than 15 years.

CVE-2025-37164 carries a perfect 10.0 CVSS score and affects HPE OneView, software used to manage servers, storage, and networking gear from a central console. In a December 18 advisory, HPE said the flaw could be exploited to inject and execute code, potentially granting full control of affected environments, though it did not say at the time whether attacks were already underway.

CISA's decision to add the flaw to its exploited-in-the-wild catalog suggests that has now changed, even if ...