The Cybersecurity and Infrastructure Security Agency (CISA) has taken the significant step of adding two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, a move that mandates federal agencies to patch them within strict deadlines. The entries include a 15-year-old Microsoft PowerPoint code-injection flaw (CVE-2009-0556) and a newly disclosed, critical vulnerability in HPE OneView (CVE-2025-37164). This action underscores a critical reality in modern cybersecurity: threat actors are not only exploiting fresh vulnerabilities but are also actively weaponizing legacy flaws that many organizations may have long forgotten or considered irrelevant.

Understanding the KEV Catalog and Binding Operational Directive 22-01

CISA's KEV Catalog is not merely an advisory list; it is a foundational component of Binding Operational Directive (BOD) 22-01. This directive requires all Federal Civilian Executive Branch (FCEB) agencies to identify, patch, and mitigate vulnerabilities listed in the catalog within defined timeframes—typically 30 days for most flaws. While the directive directly binds federal agencies, its influence is far-reaching. The KEV Catalog serves as a de facto priority list for the entire public and private sector, signaling which vulnerabilities are being actively exploited in the wild and therefore demand immediate attention. CISA's authority to compel action on such a wide temporal range of vulnerabilities, from brand-new to over a decade old, highlights the evolving and persistent nature of the threat landscape.

Deep Dive: CVE-2009-0556 - The 15-Year-Old PowerPoint Threat

CVE-2009-0556 is a memory corruption vulnerability in Microsoft PowerPoint. Specifically, it exists in the way PowerPoint parses legacy PowerPoint 4.0 file formats (.ppt, .pps). Successful exploitation could allow an attacker to execute arbitrary code on a victim's system by tricking them into opening a specially crafted malicious PowerPoint file. Microsoft originally addressed this vulnerability with a security update in July 2009 as part of MS09-017.

Why is a 2009 Flaw Back in the Spotlight?

The re-emergence of this vulnerability is a stark lesson in attack surface management. According to CISA's KEV entry, this vulnerability has evidence of active exploitation. There are several plausible reasons for this resurgence:

  • Legacy Systems and Files: Many organizations, particularly in government, industrial, and academic sectors, maintain archives of legacy documents. Threat actors may be crafting malicious files that appear to be old reports or presentations, counting on these files being opened on modern systems.
  • Software Compatibility: To maintain compatibility with old file formats, modern versions of Microsoft Office (including those in Microsoft 365) may still contain code paths to parse these legacy formats, potentially leaving the vulnerability latent if the original patch is not applied or is circumvented.
  • Expanded Attack Vectors: An old, well-documented vulnerability can be integrated into new phishing campaigns or malware distribution chains, especially when targeting systems that may be misconfigured or unpatched due to their age.

Microsoft's official stance, as reflected in its security update guide, is that the 2009 patch resolves the issue. However, CISA's action suggests that either the patch is not universally deployed, or attackers have found methods to bypass it in certain configurations, making ongoing vigilance essential.

Deep Dive: CVE-2025-37164 - The Critical HPE OneView Flaw

In stark contrast to the archival PowerPoint flaw, CVE-2025-37164 is a newly disclosed, critical vulnerability in HPE OneView, a data center infrastructure management software used for provisioning, updating, and managing HPE servers, storage, and networking. CISA's entry notes active exploitation and assigns a CVSS v3.1 base score of 9.8 (Critical).

While the exact technical details are still emerging as HPE prepares its security bulletin, vulnerabilities in infrastructure management tools like OneView are particularly dangerous. They often provide privileged access to the core hardware and software of a data center. Exploitation could lead to:

  • Full System Compromise: An attacker could potentially gain control over managed servers.
  • Data Center Disruption: Ability to re-provision, shutdown, or corrupt firmware on critical infrastructure.
  • Pivoting Point: Use the management platform as a trusted launchpad for lateral movement across an entire IT environment.

HPE has acknowledged the vulnerability and is expected to release updates and mitigation guidance shortly. The rapid addition to the KEV catalog indicates that proof-of-concept exploit code may already be public or that sophisticated threat groups are actively targeting it.

The Broader Implications: A Two-Front War on Security

CISA's dual addition reveals a strategic challenge for defenders. Organizations must now fight a two-front war:

  1. The Front of Novel Threats: Rapidly responding to critical, freshly disclosed vulnerabilities in complex software like HPE OneView (CVE-2025-37164). This requires efficient patch management workflows and robust vulnerability scanning.
  2. The Rear of Legacy Threats: Continuously defending against the re-exploitation of old vulnerabilities (CVE-2009-0556). This demands comprehensive asset management, understanding software dependencies, and maintaining security hygiene even for older software and file formats that remain in use.

This action powerfully reinforces that "patch once and forget" is an obsolete strategy. The security lifecycle of a software vulnerability may extend far beyond its initial disclosure and patch release, sometimes for over a decade. Threat actors continuously scan for and exploit any weakness, regardless of its age, especially if it provides a reliable path to infiltration.

Actionable Guidance for IT and Security Teams

For federal agencies, the path is clear: comply with BOD 22-01 by applying patches or implementing prescribed mitigations before the deadline. For private sector organizations, the KEV Catalog should be treated as a critical intelligence feed for prioritization.

For CVE-2009-0556 (PowerPoint):
- Verify Patch Status: Ensure all systems running Microsoft Office, including current versions, have applicable historical updates. The relevant update is MS09-017.
- Implement Application Controls: Consider using application allowlisting or Microsoft's Attack Surface Reduction rules to block Office applications from creating child processes or executing potentially malicious code.
- User Awareness: Reinforce training about the dangers of opening unexpected email attachments, especially legacy file formats.
- Network and Email Filtering: Deploy security tools that can inspect and sanitize Office documents at the perimeter.

For CVE-2025-37164 (HPE OneView):
- Immediate Action: Monitor the HPE Security Bulletin portal diligently for the official advisory and patches.
- Assess Exposure: Inventory all instances of HPE OneView in your environment, noting versions and network accessibility.
- Network Segmentation: Ensure management interfaces like OneView are not directly exposed to the internet and are placed on isolated, tightly controlled network segments.
- Prepare for Patching: Develop a rollout plan for the impending HPE patch to deploy it rapidly across your infrastructure.

Conclusion: The KEV Catalog as a Strategic Compass

The addition of these two vulnerabilities—spanning 15 years in disclosure—to the KEV Catalog is a potent reminder from CISA. The cyber threat landscape is non-linear. Defenders must cultivate both agility in responding to emergent critical threats and diligence in managing the long tail of historical risks. By treating the KEV Catalog not as a list of compliance items but as a validated, real-time intelligence feed on attacker behavior, organizations can significantly sharpen their threat prioritization and fortify their defenses against both the vulnerabilities of today and the ghosts of cybersecurity past. The mandate is clear: continuous vigilance and proactive patch management are no longer best practices but fundamental requirements for operational resilience.