CISA Flags New Code Injection Threats in 2026: HPE OneView & Microsoft Office Under Attack
Executive Summary
On January 7, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) updated its Known Exploited Vulnerabilities (KEV) Catalog after confirming active exploitation of two critical code injection vulnerabilities: CVE-2009-0556 in Microsoft Office PowerPoint and CVE-2025-37164 affecting HPE OneView. Attackers leveraged these vulnerabilities to gain unauthorized code execution, potentially enabling lateral movement and data compromise within federal and enterprise environments. The exploitation highlighted weaknesses in outdated software and emphasized the urgency for immediate remediation to safeguard sensitive systems and data across government agencies and broader sectors.
The rapid addition of these vulnerabilities to CISA's KEV Catalog reflects a broader industry trend of threat actors targeting lingering, unpatched software with advanced code injection techniques. Increasing regulatory pressure and new threat intelligence underscore the need for timely vulnerability management as attackers adapt to bypass existing defenses.
Why This Matters Now
Active exploitation of widely deployed enterprise software combined with CISA's mandatory remediation deadlines signals increased urgency for all organizations to address code injection vulnerabilities, regardless of compliance scope. Delay in patching risks regulatory noncompliance and exposure to pivoting attacker campaigns.
Attack Path Analysis
Attackers exploited a code injection vulnerability in Microsoft PowerPoint or HPE OneView (CVE-2009-0556 or CVE-2025-37164) to gain initial access via malicious file delivery or exposed interface. Following access, they likely escalated privileges to obtain greater access within the environment. Using that access, attackers moved laterally across cloud workloads or services, searching for valuable data or sensitive systems. They established command and control channels to maintain persistence and coordinate activity, potentially bypassing perimeter controls via encrypted or covert channels. Data exfiltration then occurred, possibly leveraging unauthorized outbound traffic paths. Finally, attackers executed actions on objectives, such as deploying further payloads, disrupting systems, or preparing for ransom or further exploitation.
Kill Chain Progression
Initial Compromise
Description
Adversaries exploited a known code injection vulnerability (either via malicious PowerPoint file or exposed HPE OneView API) to gain a foothold in the target environment.
Related CVEs
CVE-2009-0556
CVSS 8.8A code injection vulnerability in Microsoft Office PowerPoint allows remote attackers to execute arbitrary code via memory corruption.
Affected Products:
Microsoft Office PowerPoint – 2003 SP3, 2007 SP1, 2007 SP2
Exploit Status:
exploited in the wildCVE-2025-37164
CVSS 10A critical code injection vulnerability in HPE OneView allows unauthenticated remote attackers to execute arbitrary code on all versions prior to 11.00.
Affected Products:
Hewlett Packard Enterprise OneView – < 11.00
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Command and Scripting Interpreter
Exploitation for Client Execution
Exploit Public-Facing Application
Access Token Manipulation
Exploitation for Defense Evasion
Impair Defenses
Valid Accounts
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Address Common Coding Vulnerabilities
Control ID: 6.3.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy Requirements
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management
Control ID: Article 8(2)
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Continuous Vulnerability Mitigation
Control ID: Vulnerability & Patch Management
NIS2 Directive – Vulnerability Handling and Disclosure
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Federal agencies face mandatory remediation of CVE-2025-37164 HPE OneView code injection vulnerabilities under BOD 22-01, requiring immediate patch management and infrastructure security updates.
Information Technology/IT
IT organizations managing HPE OneView infrastructure face critical code injection exposure requiring zero trust segmentation, threat detection capabilities, and comprehensive vulnerability management practices.
Health Care / Life Sciences
Healthcare systems using HPE infrastructure must address code injection vulnerabilities while maintaining HIPAA compliance through encrypted traffic controls and secure hybrid connectivity solutions.
Financial Services
Financial institutions require immediate remediation of HPE OneView vulnerabilities to prevent data exfiltration while ensuring PCI compliance through egress security and anomaly detection.
Sources
- CISA Adds Two Known Exploited Vulnerabilities to Cataloghttps://www.cisa.gov/news-events/alerts/2026/01/07/cisa-adds-two-known-exploited-vulnerabilities-catalogVerified
- CVE-2025-37164 - Critical Vulnerability - TheHackerWirehttps://www.thehackerwire.com/vulnerability/CVE-2025-37164/Verified
- CISA Flags Microsoft Office and HPE OneView Bugs as Actively Exploitedhttps://radar.offseq.com/threat/cisa-flags-microsoft-office-and-hpe-oneview-bugs-a-85288de4Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust segmentation, east-west traffic controls, and egress enforcement would significantly disrupt this kill chain—limiting lateral movement, detecting anomalies, and blocking data exfiltration or C2 attempts across cloud and hybrid environments.
Control: Inline IPS (Suricata)
Mitigation: Known exploit payloads would be detected and blocked at ingress.
Control: Zero Trust Segmentation
Mitigation: Lateral privilege escalation scope would be limited by application or workload boundaries.
Control: East-West Traffic Security
Mitigation: Unauthorized workload-to-workload movement would be detected and blocked.
Control: Threat Detection & Anomaly Response
Mitigation: Suspicious C2 traffic or anomalous behavior would trigger alerts and facilitate rapid response.
Control: Egress Security & Policy Enforcement
Mitigation: Unsanctioned data exfiltration attempts are blocked or logged for response.
Distributed inline enforcement limits attacker reach and enables rapid isolation of affected workloads.
Impact at a Glance
Affected Business Functions
- Document Management
- Infrastructure Management
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of sensitive corporate documents and administrative credentials.
Recommended Actions
Key Takeaways & Next Steps
- • Immediately patch all instances of software listed in the KEV Catalog, prioritizing CVE-2009-0556 and CVE-2025-37164 wherever deployed.
- • Deploy Inline IPS and threat detection controls to inspect ingress/egress and block known exploit attempts and C2 channels.
- • Enforce Zero Trust segmentation and east-west traffic controls to stop unauthorized lateral movement and limit the blast radius of any compromise.
- • Apply centralized egress filtering with policy enforcement to prevent data exfiltration and unauthorized outbound access from cloud workloads.
- • Enhance visibility and anomaly detection leveraging CNSF capabilities to enable real-time detection and rapid response to future exploit attempts or abnormal activity.
