CISA KEV Alert: HPE’s Maximum CVSS Score Flaw and a Zombie PowerPoint Bug

The Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) Catalog with two new entries that span nearly two decades of computing history. The latest additions include a critical code injection flaw in HPE OneView and, surprisingly, a resurrection of a 2009 vulnerability in Microsoft PowerPoint.

The most pressing danger comes from a newly identified vulnerability in Hewlett Packard Enterprise (HPE) OneView, the infrastructure management software used by data centers worldwide.

Tracked as CVE-2025-37164, this vulnerability carries the maximum possible CVSS score of 10.0, signaling catastrophic potential. The flaw allows a “remote unauthenticated user to perform remote code execution,” meaning an attacker needs no credentials to seize control of the management appliance .

HPE has released a critical security hotfix covering a massive range of versions—from 5.20 through 10.20. Administrators are warned that this fix is fragile; it “must be reapplied after an appliance upgrade from HPE OneView version 6.60.xx to 7.00.00,” specifically for HPE Synergy Composer reimages.

CISA also flagged CVE-2009-0556. This vulnerability affects legacy software including Microsoft Office PowerPoint 2000, 2002, 2003, and even Office 2004 for Mac.

The flaw involves a memory corruption issue triggered by an invalid index value in an “OutlineTextRefAtom” within a PowerPoint file. While it reads like ancient history, CISA’s inclusion confirms active exploitation evidence, likely involving the Exploit:Win32/Apptom.gen malware first seen in the wild back in April 2009.

Federal Civilian Executive Branch (FCEB) agencies have been given a strict deadline of January 28, 2026, to remediate these flaws or disconnect the vulnerable systems.

3.7/5 - (3 votes)

Related Posts:

Found this helpful?

Leave a Reply Cancel reply