"CVE-2025-37164 carries a perfect 10.0 CVSS score and affects HPE OneView, software used to manage servers, storage, and networking gear from a central console. In a December 18 advisory, HPE said the flaw could be exploited to inject and execute code, potentially granting full control of affected environments, though it did not say at the time whether attacks were already underway."
"CISA has added a pair of security holes to its actively exploited list, warning that attackers are now abusing a maximum-severity bug in HPE's OneView management software and a years-old flaw in Microsoft Office. The latest update to CISA's Known Exploited Vulnerabilities catalog flags CVE-2025-37164, a code injection vulnerability in HPE OneView, and CVE-2009-0556, a PowerPoint code injection bug that's been lurking for more than 15 years."
CISA added two vulnerabilities to its Known Exploited Vulnerabilities catalog: a maximum-severity code-injection bug in HPE OneView (CVE-2025-37164) and a long-standing PowerPoint code-injection flaw (CVE-2009-0556). CVE-2025-37164 has a 10.0 CVSS score and can allow injection and execution of code, potentially granting full control of managed environments. A December 18 HPE advisory described the risk but did not confirm observed exploitation. Proof-of-concept exploit code from Rapid7 and warnings from eSentire lowered the barrier to compromise. CVE-2009-0556 permits remote code execution via specially crafted PowerPoint files and was patched by Microsoft in MS09-017.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]