CISA Mandates Emergency Patches for Critical Microsoft Office and HPE OneView Flaws
Federal agencies face a January 28 deadline as CISA escalates two actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog. With a perfect CVSS 10.0 score, the HPE OneView flaw represents one of the most severe threats currently targeting enterprise infrastructure management systems.
Maximum CVSS severity score for the HPE OneView vulnerability - the highest possible rating indicating critical risk
The U.S. Cybersecurity and Infrastructure Security Agency has issued an urgent directive requiring federal agencies to address two actively exploited security weaknesses before the end of January. The announcement, made on Wednesday, places particular emphasis on a devastating flaw in Hewlett Packard Enterprise's infrastructure management platform that received the maximum possible severity rating.
Technical Breakdown of the Disclosed Flaws
The first vulnerability affects Microsoft Office PowerPoint through a code injection mechanism. Despite its age, this flaw has resurfaced in active exploitation campaigns, demonstrating how legacy vulnerabilities continue to pose risks when left unpatched.
The second and more severe issue targets HPE OneView—a widely deployed IT infrastructure management solution used by enterprises to oversee their entire technology stack from a single interface. This flaw enables completely unauthenticated attackers to execute malicious code remotely, making it particularly dangerous for organizations exposing these systems to network access.
Scope of Impact and Available Fixes
Number of HPE OneView versions (5.20 through 10.20) that require hotfix deployment to remediate the vulnerability
HPE disclosed the OneView vulnerability last month, confirming that every software iteration released before version 11.00 remains susceptible to exploitation. Organizations running older deployments can apply vendor-provided hotfixes covering versions 5.20 through 10.20.
Ongoing Uncertainty Around Attack Attribution
This ambiguity underscores the importance of proactive vulnerability management—organizations cannot afford to wait for attribution before taking protective action when active exploitation has been confirmed by federal authorities.
Frequently Asked Questions
The Known Exploited Vulnerabilities catalog is a maintained database of security flaws that CISA has confirmed are being actively exploited in real-world attacks. Federal agencies are legally required to remediate these vulnerabilities within specified timeframes under BOD 22-01.
CVE-2009-0556 demonstrates that attackers continuously scan for and exploit unpatched legacy systems. Many organizations maintain older software versions, making historical vulnerabilities perpetually relevant until completely remediated across all environments.
While BOD 22-01 only mandates compliance for federal agencies, private enterprises should treat KEV additions as high-priority patches. Implementing the same January 28 deadline provides a reasonable remediation window aligned with federal best practices.
Related Incidents
View All
CriticalShadowLeak and ZombieAgent: Critical ChatGPT Flaws Enable Zero-Click Data Exfiltration from Gmail, Outlook, and GitHub
Security researchers have disclosed critical vulnerabilities in ChatGPT that allowed attackers to silently exfiltrate se...
HighMicrosoft Enforces Mandatory MFA for Microsoft 365 Admin Center as Credential Attacks Surge
Microsoft is now actively enforcing mandatory multi-factor authentication for all accounts accessing the Microsoft 365 A...
MediumCisco ISE XXE Vulnerability Exposes Sensitive Files to Authenticated Attackers After Public PoC Release
Cisco has patched a medium-severity XML External Entity (XXE) vulnerability in Identity Services Engine that allows auth...
Comments
Want to join the discussion?
Create an account to unlock exclusive member content, save your favorite articles, and join our community of IT professionals.
New here? Create a free account to get started.