The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added two security flaws impacting Microsoft Office and Hewlett Packard Enterprise (HPE) OneView to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The vulnerabilities are listed below -
- CVE-2009-0556 (CVSS score: 8.8) - A code injection vulnerability in Microsoft Office PowerPoint that allows remote attackers to execute arbitrary code by means of memory corruption
- CVE-2025-37164 (CVSS score: 10.0) - A code injection vulnerability in HPW OneView that allows a remote unauthenticated user to perform remote code execution
Details of CVE-2025-37164 emerged last month when HPE said the vulnerability impacts all versions of the software prior to version 11.00. The company also made available hotfixes for OneView versions 5.20 through 10.
The scope and source of the attacks targeting the two flaws is presently unclear, and there appear to be no public reports referencing their exploitation in the wild. However, a report from eSentire on December 23, 2025, revealed the release of a detailed proof-of-concept (PoC) exploit for CVE-2025-37164.
"Public availability of PoC exploit code significantly increases the risk to organizations running affected versions of the application," eSentire said. "As the vulnerability impacts all versions prior to 11.0, organizations are strongly advised to apply the required updates to mitigate the potential risk of exploitation."
Pursuant to Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are recommended to apply the necessary fixes by January 28, 2026, to secure their networks against active threats.
HPE OneView Flaw Exploited by RondoDox Botnet
In a report published January 15, 2026, Check Point said it identified an active, large-scale exploitation campaign targeting CVE-2025-37164 that delivers the RondoDox botnet, adding it reported the activity to CISA on January 7, 2026, prompting its inclusion in the KEV catalog that same day.
The exploitation effort involved more than 40,000 attack attempts between 05:45 and 09:20 UTC on January 7, 2026, signaling a dramatic escalation. The attempts are assessed to be automated, botnet-driven exploitation.
"The majority of observed activity originated from a single Dutch IP address that has been widely reported online as suspicious," Check Point said. "The campaign impacted organizations across multiple sectors, with the highest concentration of activity observed against government organizations, followed by the financial services and industrial manufacturing sectors."
The U.S. experienced the highest volume of attacks, followed by Australia, France, Germany, and Austria. The findings illustrate the Linux-based botnet is actively adding newly disclosed vulnerabilities to its exploit arsenal to target unpatched systems and expand its reach.
(The story was updated after publication on January 16, 2026, to include details of exploitation activity related to CVE-2025-37164.)
