A 16-year-old Microsoft PowerPoint flaw and a new maximum-severity HPE vulnerability are the latest additions to CISA’s Known Exploited Vulnerabilities (KEV) catalog. CVE-2025-37164 is a 10.0-rated Code Injection vulnerability in Hewlett Packard Enterprise’s OneView IT infrastructure management software, while CVE-2009-0556 is a 9.3-severity Code Injection vulnerability present in Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3, and PowerPoint in Microsoft Office 2004 for Mac. Per standard practice, CISA didn’t provide any details on how the PowerPoint and HPE vulnerabilities are being exploited, but it’s not unusual for the agency to add older vulnerabilities to the CISA KEV catalog. CISA added a 2007 Microsoft Excel vulnerability to the KEV catalog last year, while the oldest vulnerability in the catalog remains CVE-2002-0367, a privilege escalation vulnerability in the Windows NT and Windows 2000 smss.exe debugging subsystem that has been known to be used by ransomware groups. The PowerPoint and HPE vulnerabilities are the first to be added to the KEV catalog in 2026, following 245 vulnerabilities added in 2025.

CISA KEV Addition Follows CVE-2025-37164 PoC

CISA’s addition of CVE-2025-37164 to the KEV catalog follows a Proof of Concept (PoC) exploit published by Rapid7 on Dec. 19. HPE notes that CVE-2025-37164 could allow a remote unauthenticated user to perform remote code execution. The company acknowledged Nguyen Quoc Khanh for reporting the issue. HPE has released a security hotfix for any version of HPE OneView from 5.20 through version 10.20, which must be reapplied after an appliance upgrade from HPE OneView version 6.60.xx to 7.00.00, including any HPE Synergy Composer reimage. While the HPE advisory says all versions through v10.20 are affected, the Rapid7 PoC notes that “Based on our analysis, we suspect that only ‘HPE OneView for VMs’ version 6.x is vulnerable to CVE-2025-37164, whereas all unpatched versions of ‘HPE OneView for HPE Synergy’ are vulnerable to CVE-2025-37164. More clarification is needed from the vendor to confirm or deny this hypothesis.” Rapid7 also released a Metasploit module for CVE-2025-37164.

CVE-2009-0556 PowerPoint Flaw First Attacked in 2009

The Microsoft PowerPoint flaw could allow remote attackers to execute arbitrary code via a PowerPoint file with an OutlineTextRefAtom containing an invalid index value that triggers memory corruption. The National Vulnerability Database (NVD) notes that CVE-2009-0556 was initially exploited in the wild in April 2009 by Exploit:Win32/Apptom.gen. Microsoft’s May 2009 security bulletin notes that an attacker who successfully exploited the remote code execution vulnerability “could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” The vulnerability triggers memory corruption when PowerPoint reads an invalid index value in a maliciously crafted PowerPoint file, which could allow an attacker to execute arbitrary code. Microsoft notes that “Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”