CISA Sounds Alarm on Exploited Microsoft Office & HPE OneView Vulnerabilities (2026)
Executive Summary
In January 2026, CISA added critical vulnerabilities affecting Microsoft Office (CVE-2009-0556) and HPE OneView (CVE-2025-37164) to its Known Exploited Vulnerabilities catalog after credible reports of active exploitation. CVE-2009-0556, a code injection flaw in PowerPoint, allows remote code execution via memory corruption, while CVE-2025-37164 enables unauthenticated remote code execution against all affected HPE OneView versions prior to 11.00. eSentire reported public proof-of-concept exploit code for the HPE flaw, further increasing organizational risk. Both vulnerabilities pose severe security threats, prompting urgent remediation directives across Federal Civilian Executive Branch networks.
This incident underscores the rising urgency of rapid patch management as threat actors increasingly exploit published vulnerabilities and proof-of-concept exploits. The swift addition to CISA’s catalog highlights regulatory pressure and the need for proactive controls as organizations face growing risks from unpatched enterprise software.
Why This Matters Now
Proof-of-concept exploit code for these vulnerabilities is now public and active exploitation has been observed, sharply escalating the risk and urgency for affected organizations. Because the HPE OneView flaw impacts all versions prior to 11.0 and has broad enterprise deployment, delayed patching may lead to widespread compromise and compliance failures.
Attack Path Analysis
Attackers leveraged remote code execution vulnerabilities in Microsoft Office PowerPoint and HPE OneView to gain initial access to affected systems. Upon compromise, they likely exploited local or application-level privileges to escalate their access. Utilizing lateral movement techniques, adversaries navigated internal east-west network paths to reach additional resources or sensitive workloads. Once established, attackers set up command and control communications to maintain persistence and issue remote commands, potentially using encrypted channels. Data was at risk of exfiltration via unauthorized outbound connections or direct export from compromised systems. Finally, attackers could disrupt operations, deploy ransomware, or corrupt business data to achieve impact.
Kill Chain Progression
Initial Compromise
Description
Exploitation of public-facing vulnerabilities (CVE-2009-0556, CVE-2025-37164) in Microsoft Office PowerPoint and HPE OneView via remote code execution, enabling unauthorized access.
Related CVEs
CVE-2009-0556
CVSS 7.8A memory corruption vulnerability in Microsoft Office PowerPoint allows remote attackers to execute arbitrary code via a crafted PowerPoint file.
Affected Products:
Microsoft Office PowerPoint – 2000 SP3, 2002 SP3, 2003 SP3, 2004 for Mac
Exploit Status:
exploited in the wildCVE-2025-37164
CVSS 10A code injection vulnerability in HPE OneView allows a remote unauthenticated user to perform remote code execution.
Affected Products:
Hewlett Packard Enterprise OneView – < 11.0
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploitation for Client Execution
Exploit Public-Facing Application
Command and Scripting Interpreter
Windows Management Instrumentation
Process Injection
Valid Accounts
Ingress Tool Transfer
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security Vulnerabilities Management
Control ID: 6.3.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 8
CISA ZTMM 2.0 – Asset Vulnerability Management
Control ID: Pillar 2: Device Security
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Federal agencies face critical code injection risks from Microsoft Office and HPE OneView vulnerabilities, requiring immediate patching by January 28, 2026 per CISA directive.
Health Care / Life Sciences
Healthcare systems using HPE OneView infrastructure face maximum-severity remote code execution threats, compromising HIPAA compliance and patient data protection through vulnerability exploitation.
Financial Services
Banking institutions utilizing HPE OneView and Microsoft Office face severe code injection attacks threatening PCI DSS compliance and financial data integrity through active exploitation.
Information Technology/IT
IT service providers managing HPE OneView environments experience critical remote code execution vulnerabilities enabling lateral movement and compromise of multi-client infrastructure systems.
Sources
- CISA Flags Microsoft Office and HPE OneView Bugs as Actively Exploitedhttps://thehackernews.com/2026/01/cisa-flags-microsoft-office-and-hpe.htmlVerified
- CISA Adds Two Known Exploited Vulnerabilities to Cataloghttps://www.cisa.gov/news-events/alerts/2026/01/07/cisa-adds-two-known-exploited-vulnerabilities-catalogVerified
- HPE OneView Remote Code Execution Vulnerabilityhttps://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04985en_usVerified
- Microsoft Security Bulletin MS09-017 - Criticalhttps://learn.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-017Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust segmentation, east-west traffic controls, threat detection, and egress filtering as enabled by CNSF capabilities would have limited adversary freedom of movement, rapidly detected anomalous exploitation, and minimized data loss or operational disruption.
Control: Inline IPS (Suricata)
Mitigation: Signature-based threat prevention at the network edge detects and blocks known exploit payloads.
Control: Zero Trust Segmentation
Mitigation: Microsegmentation limits attacker access to lateral movement targets even after privilege escalation.
Control: East-West Traffic Security
Mitigation: Lateral movement is detected and contained by enforcing east-west traffic security and workload-to-workload policies.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound C2 channels are blocked or immediately surfaced for incident response.
Control: Multicloud Visibility & Control
Mitigation: Rapid detection of anomalous data movement triggers response to stop exfiltration.
Real-time anomaly detection and automated policy enforcement limit scope of operational impact.
Impact at a Glance
Affected Business Functions
- Infrastructure Management
- Data Center Operations
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of sensitive configuration data and administrative credentials due to unauthorized access to infrastructure management systems.
Recommended Actions
Key Takeaways & Next Steps
- • Immediately apply available hotfixes and prioritize patching for all externally exposed applications vulnerable to recent CVEs.
- • Enable Zero Trust segmentation and east-west traffic inspection to contain post-compromise movement between cloud workloads.
- • Deploy inline IPS and continuous anomaly detection to prevent exploitation of known vulnerabilities and rapidly surface covert threats.
- • Enforce strict egress policies limiting outbound connections to only approved domains and services to prevent data exfiltration and C2 communications.
- • Centralize multicloud visibility and automate incident response workflows to enable rapid detection and remediation of cloud-native threats.
