Zero-Day Double Trouble: Microsoft Office and HPE OneView Flaws Under Active Attack
Subtitle: Two critical vulnerabilities in widely used enterprise software have landed on CISA’s radar, with active exploitation and proof-of-concept code threatening organizations worldwide.
It’s every IT administrator’s nightmare: a pair of old and new vulnerabilities-one lurking for years, another freshly discovered-now weaponized and actively exploited in the wild. This week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) sounded the alarm, adding critical bugs in Microsoft Office PowerPoint and Hewlett Packard Enterprise (HPE) OneView to its Known Exploited Vulnerabilities (KEV) catalog. The reason? Proof that attackers are already leveraging these weaknesses, putting countless organizations at risk.
Fast Facts
- CISA has flagged two major vulnerabilities-one in Microsoft Office PowerPoint (CVE-2009-0556), one in HPE OneView (CVE-2025-37164)-as actively exploited.
- The HPE OneView flaw carries a maximum CVSS score of 10.0, and affects all versions before 11.00.
- A public proof-of-concept exploit for the HPE bug is circulating, significantly raising the risk of attacks.
- Federal agencies have until January 28, 2026, to patch affected systems.
- The full extent of ongoing attacks remains unclear, but urgency to remediate is high.
Inside the Breach: What’s at Stake?
The two vulnerabilities spotlighted by CISA represent a dangerous convergence of factors: widespread usage, high-impact remote code execution, and now, confirmed exploitation. CVE-2009-0556, a code injection flaw in Microsoft Office PowerPoint, may sound familiar-it’s been around since 2009. But its persistence in legacy systems means it remains a real threat, especially as attackers seek out unpatched, forgotten endpoints.
More alarming is CVE-2025-37164 in HPE OneView, a popular infrastructure management tool used in data centers worldwide. This recently disclosed vulnerability allows remote, unauthenticated attackers to execute arbitrary code on affected systems. With a maximum CVSS score of 10.0, it sits at the very top of the risk scale. HPE has released hotfixes for versions 5.20 through 10, but anything before version 11.00 is in the danger zone.
The catalyst for CISA’s alert? Security firm eSentire reported the public release of a detailed proof-of-concept exploit for the HPE bug in December 2025. The existence of such code drastically lowers the barrier for cybercriminals, enabling even less sophisticated actors to launch attacks. “Public availability of PoC exploit code significantly increases the risk to organizations,” eSentire warned.
While the precise scope and origin of current attacks remain murky-no major public incidents have yet been tied to these flaws-the presence of the vulnerabilities in CISA’s KEV catalog is a red flag. Federal agencies, per Binding Operational Directive 22-01, have been given a tight deadline to patch up, but private sector organizations should be no less vigilant.
Why does this matter? In today’s threat landscape, attackers are quick to seize on any public exploit, and supply chain tools like HPE OneView are especially attractive targets. Organizations dragging their feet on updates could soon find themselves in the crosshairs.
The Takeaway
For defenders, the message is clear: patch now, or risk joining the growing list of victims. As legacy bugs resurface and new ones emerge, the cycle of vulnerability and exploitation shows no sign of slowing. Vigilance-and rapid response-are the only defenses against the next big breach.
WIKICROOK
- Vulnerability: A vulnerability is a weakness in software or systems that attackers can exploit to gain unauthorized access, steal data, or cause harm.
- Remote Code Execution: Remote code execution lets attackers run commands on your computer from a distance, often leading to full system compromise and data theft.
- Proof: A Proof-of-Concept (PoC) is a demonstration showing that a cybersecurity vulnerability can be exploited, helping to validate and assess real risks.
- CVSS Score: A CVSS Score rates the severity of security vulnerabilities from 0 to 10, with higher numbers indicating greater risk and urgency for response.
- Patch: A patch is a software update released to fix security vulnerabilities or bugs in programs, helping protect devices from cyber threats and improve stability.




