CISA Adds 16-Year-Old PowerPoint Flaw to Exploited List

CISA added two vulnerabilities to its Known Exploited Vulnerabilities catalog on Tuesday—one from 2009 and one from 2025. The additions highlight a persistent reality: attackers exploit whatever works, regardless of when the flaw was discovered.

CVE-2009-0556 affects Microsoft Office PowerPoint and dates back to April 2009. CVE-2025-37164 is a maximum-severity flaw in HPE OneView that we covered last month. Both are now confirmed under active exploitation.

The Vulnerabilities

CVE-2009-0556: Microsoft Office PowerPoint

This code injection vulnerability in PowerPoint is old enough to have graduated high school. Microsoft patched it in May 2009, but 16 years later, attackers are still finding unpatched systems to exploit.

The flaw allows remote code execution through specially crafted PowerPoint files. When a user opens a malicious .ppt or .pps file, the vulnerability can execute arbitrary code with the privileges of the logged-in user. Microsoft rated it Critical when originally disclosed.

Why exploit a vulnerability from 2009? Legacy systems persist in enterprise environments far longer than security teams would prefer. Air-gapped networks, specialized industrial applications, and forgotten infrastructure often run software frozen in time. Attackers probe for these systems because the exploits are reliable and well-documented.

CVE-2025-37164: HPE OneView

This vulnerability is considerably newer—and considerably more dangerous. CVE-2025-37164 carries a CVSS score of 10.0 and allows unauthenticated remote code execution against HPE OneView infrastructure management platforms.

OneView serves as a central control plane for managing servers, storage, and networking in enterprise data centers. Compromising it gives attackers visibility into—and potential control over—an organization's physical and virtual infrastructure.

HPE released patches in version 11.00 in December 2025. Organizations that haven't updated are now racing against confirmed exploitation.

What KEV Addition Means

Binding Operational Directive 22-01 requires Federal Civilian Executive Branch agencies to remediate KEV-listed vulnerabilities within specified deadlines. For these additions, federal agencies must patch affected systems or implement mitigations by the due dates CISA specifies in the catalog entry.

Private sector organizations aren't bound by BOD 22-01, but the KEV catalog serves as a practical prioritization guide. Every entry represents confirmed active exploitation—not theoretical risk, but attacks happening now.

Immediate Actions

For CVE-2009-0556 (PowerPoint):

1. Identify systems running vulnerable Microsoft Office versions (primarily Office 2000, XP, 2003, and 2007)
2. Apply available patches or upgrade to supported Office versions
3. Block .ppt and .pps attachments at email gateways if patching isn't immediately feasible
4. Enable Office Protected View to reduce exploitation risk

For CVE-2025-37164 (HPE OneView):

1. Update HPE OneView to version 11.00 or later
2. Restrict network access to OneView management interfaces
3. Review logs for signs of unauthorized access or unusual administrative activity
4. Consider OneView's position in your network—if compromised, what else becomes accessible?

The Bigger Picture

The juxtaposition of these two vulnerabilities tells a story. CVE-2009-0556 demonstrates that legacy software doesn't age out of the threat landscape. If vulnerable systems exist, attackers will find them. Security teams can't assume old flaws are irrelevant just because patches have been available for years.

CVE-2025-37164 shows the other end of the timeline. Maximum-severity vulnerabilities in infrastructure management platforms get targeted quickly. The window between patch release and active exploitation continues to shrink.

CISA's KEV catalog now contains over 1,100 vulnerabilities. Each represents a real attack observed in the wild. For security teams struggling to prioritize patching across thousands of potential vulnerabilities, the catalog offers a reality-based shortlist of what attackers actually exploit.

Federal agencies have mandatory deadlines. Everyone else should treat KEV additions as escalation triggers—evidence that theoretical risk has become operational reality.