CISA Mandates Urgent Patching for Exploited HPE OneView and Legacy Office Vulnerabilities
#Vulnerabilities

CISA Mandates Urgent Patching for Exploited HPE OneView and Legacy Office Vulnerabilities

Regulation Reporter
2 min read

The Cybersecurity and Infrastructure Security Agency has added two critical vulnerabilities to its Known Exploited Vulnerabilities catalog: a maximum-severity flaw in HPE OneView management software and a 15-year-old PowerPoint code execution vulnerability, requiring immediate federal agency remediation.

Featured image

The Cybersecurity and Infrastructure Security Agency (CISA) has issued binding remediation requirements under Binding Operational Directive 22-01 for two newly added vulnerabilities in its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies must immediately address:

  1. CVE-2025-37164 (CVSS 10.0):

    • Affects HPE OneView infrastructure management software
    • Allows remote code execution granting full system control
    • HPE Security Advisory released December 18, 2026
    • Exploit code publicly available since disclosure

  2. CVE-2009-0556 (CVSS 8.8):

    • Microsoft PowerPoint memory corruption vulnerability
    • Patched in 2009 via MS09-017
    • Exploited through malicious PowerPoint files
    • Impacts unpatched legacy Office installations

Compliance Requirements

Per BOD 22-01:

  • Federal agencies must remediate both vulnerabilities by February 7, 2026 (30 days from catalog entry)
  • Non-federal entities should treat as high-priority remediation targets
  • Organizations must:
    • Identify all systems running HPE OneView
    • Inventory Microsoft Office installations (including legacy versions)
    • Apply HPE firmware updates and Microsoft security patches
    • Implement temporary mitigations where patching isn't immediately feasible

Risk Analysis

  • HPE OneView Exploit: Compromise provides administrative control over servers, storage, and network infrastructure. Rapid7's proof-of-concept exploit confirms trivial weaponization.
  • Legacy PowerPoint Vulnerability: Despite being patched in 2009, unmanaged systems remain vulnerable. Attackers leverage this gap in outdated environments lacking patch management.

Remediation Timeline

Action Item Deadline
Asset inventory completion January 15, 2026
HPE patch deployment January 22, 2026
Office patch verification (including legacy systems) January 29, 2026
CISA compliance validation February 7, 2026

Mitigation Strategies

For HPE OneView:

  • Restrict management interface access to authorized IPs
  • Implement network segmentation for OneView components

For legacy Office systems:

  • Block .ppt file attachments in email gateways
  • Migrate to Microsoft 365 supported versions
  • Apply Group Policy restrictions for macro execution

Compliance officers must prioritize these vulnerabilities regardless of age—both are confirmed as actively exploited attack vectors. Organizations failing to meet CISA's deadline risk operational disruption and potential breach notification requirements under incident reporting regulations.

#CISA#HPE OneView#PowerPoint Vulnerability#CVE-2025-37164#Patch Management

Comments

Loading comments...
Back to Home