A 16-year-old Microsoft PowerPoint flaw and a new maximum-severity HPE vulnerability are the latest additions to CISA’s Known Exploited Vulnerabilities (KEV) catalog. CVE-2025-37164 is a 10.0-rated Code Injection vulnerability in Hewlett Packard Enterprise’s OneView IT infrastructure management software, while CVE-2009-0556 is a 9.3-severity Code Injection vulnerability present in Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3, and PowerPoint in Microsoft Office 2004 for Mac. Per standard practice, CISA didn’t provide any details on how the PowerPoint and HPE vulnerabilities are being exploited, but it’s not unusual for the agency to add older vulnerabilities to the CISA KEV catalog. CISA added a 2007 Microsoft Excel vulnerability to the KEV catalog last year, while the oldest vulnerability in the catalog remains CVE-2002-0367, a privilege escalation vulnerability in the Windows NT and Windows 2000 smss.exe debugging subsystem that has been known to be used by ransomware groups. The PowerPoint and HPE vulnerabilities are the first to be added to the KEV catalog in 2026, following 245 vulnerabilities added in 2025.

CISA KEV Addition Follows CVE-2025-37164 PoC

CISA’s addition of CVE-2025-37164 to the KEV catalog follows a Proof of Concept (PoC) exploit published by Rapid7 on Dec. 19. HPE notes that CVE-2025-37164 could allow a remote unauthenticated user to perform remote code execution. The company acknowledged Nguyen Quoc Khanh for reporting the issue. HPE has released a security hotfix for any version of HPE OneView from 5.20 through version 10.20, which must be reapplied after an appliance upgrade from HPE OneView version 6.60.xx to 7.00.00, including any HPE Synergy Composer reimage. While the HPE advisory says all versions through v10.20 are affected, the Rapid7 PoC notes that “Based on our analysis, we suspect that only ‘HPE OneView for VMs’ version 6.x is vulnerable to CVE-2025-37164, whereas all unpatched versions of ‘HPE OneView for HPE Synergy’ are vulnerable to CVE-2025-37164. More clarification is needed from the vendor to confirm or deny this hypothesis.” Rapid7 also released a Metasploit module for CVE-2025-37164.

CVE-2009-0556 PowerPoint Flaw First Attacked in 2009

The Microsoft PowerPoint flaw could allow remote attackers to execute arbitrary code via a PowerPoint file with an OutlineTextRefAtom containing an invalid index value that triggers memory corruption. The National Vulnerability Database (NVD) notes that CVE-2009-0556 was initially exploited in the wild in April 2009 by Exploit:Win32/Apptom.gen. Microsoft’s May 2009 security bulletin notes that an attacker who successfully exploited the remote code execution vulnerability “could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” The vulnerability triggers memory corruption when PowerPoint reads an invalid index value in a maliciously crafted PowerPoint file, which could allow an attacker to execute arbitrary code. Microsoft notes that “Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”  

The US Cybersecurity and Infrastructure Security Agency (CISA) added both a newly discovered flaw and a much older one to its catalog of Known Exploited Vulnerabilities (KEV).

The KEV catalog gives Federal Civilian Executive Branch (FCEB) agencies a list of vulnerabilities that are known to be exploited in the wild, along with deadlines for when they must be patched. In both of these cases, the due date is January 28, 2026.

But CISA alerts are not just for government agencies. They also provide guidance to businesses and end users about which vulnerabilities should be patched first, based on real-world exploitation.

A critical flaw in HPE OneView

The recently found vulnerability, tracked as CVE-2025-37164, carries a CVSS score of 10 out of 10 and allows remote code execution. The flaw affects HPE OneView, a platform used to manage IT infrastructure, and a patch was released on December 17, 2025.

This critical vulnerability allows a remote, unauthenticated attacker to execute code and potentially gain large-scale control over servers, firmware, and lifecycle management. Management platforms like HPE OneView are often deployed deep inside enterprise networks, where they have extensive privileges and limited monitoring because they are trusted.

Proof of Concept (PoC) code, in the form of a Metasploit module, was made public just one day after the patch was released.

A PowerPoint vulnerability from 2009 resurfaces

The cybersecurity dinosaur here is a vulnerability in Microsoft PowerPoint, tracked as CVE-2009-0556, that dates back more than 15 years. It affects:

• Microsoft Office PowerPoint 2000 SP3
• PowerPoint 2002 SP3
• PowerPoint 2003 SP3
• PowerPoint in Microsoft Office 2004 for Mac

The flaw allows remote attackers to execute arbitrary code by tricking a victim into opening a specially crafted PowerPoint file that triggers memory corruption.

In the past, this vulnerability was exploited by malware known as Apptom. CISA rarely adds vulnerabilities to the KEV catalog based on ancient exploits, so the “sudden” re‑emergence of the 2009 PowerPoint vulnerability suggests attackers are targeting still‑deployed legacy Office installs.

Successful exploitation can allow attackers to run arbitrary code, deploy malware, and establish a foothold for lateral movement inside a network. Unlike the HPE OneView flaw, this attack requires user interaction—the target must open the malicious PowerPoint file.

Stay safe

When it comes to managing vulnerabilities, prioritizing which patches to apply is an important part of staying safe. So, to make sure you don’t fall victim to exploitation of known vulnerabilities:

• Keep an eye on the CISA KEV catalog as a guide of what’s currently under active exploitation.
• Update as fast as you can without interrupting daily routine.
• Use a real-time up-to-date anti-malware solution to intercept exploits and malware attacks.
• Don’t open unsolicited attachments without verifying with the—trusted—sender.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.