Two security vulnerabilities affecting Microsoft Office and Hewlett Packard Enterprise (HPE) OneView have been added to the Known Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). There don't seem to be any public reports mentioning their exploitation in the wild, and the extent and origin of the attacks aimed at the two vulnerabilities are currently unknown. In order to protect their networks from active threats, Federal Civilian Executive Branch (FCEB) agencies are advised to implement the required fixes by January 28, 2026, in accordance with Binding Operational Directive (BOD) 22-01.

The vulnerabilities are as follows: CVE-2009-0556 (CVSS score: 8.8) is a code injection vulnerability in Microsoft Office PowerPoint that enables remote attackers to use memory corruption to execute arbitrary code. CVE-2025-37164 is an HPW code injection vulnerability (CV SS score: 10.0). OneView that enables remote code execution by an unauthorized user