CISA Adds HPE OneView and Microsoft Office PowerPoint Vulnerabilities to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: CVE-2023-38041 affecting HPE OneView and CVE-2009-0556 affecting Microsoft Office PowerPoint. CVE-2023-38041 is a remote code execution (RCE) vulnerability in HPE OneView, a management platform for HPE servers, storage, and networking devices. If exploited, this vulnerability could allow attackers to execute arbitrary code on affected systems, potentially leading to full system compromise. CVE-2009-0556 is a memory corruption vulnerability in Microsoft Office PowerPoint. This vulnerability can be exploited through malicious documents, allowing attackers to execute arbitrary code when a malicious PowerPoint file is opened. The inclusion of these vulnerabilities in CISA's KEV catalog indicates that they are being actively exploited in the wild. Federal agencies are required to apply patches for these vulnerabilities within a specified timeframe, underscoring their severity and the potential risk they pose. For organizations using HPE OneView, it is crucial to apply the latest patches and consider additional security measures such as network segmentation and access controls to limit exposure. For Microsoft Office PowerPoint, organizations should educate users about the risks of opening untrusted documents and consider implementing security measures such as sandboxing or disabling macros. The addition of these vulnerabilities to CISA's KEV catalog highlights the ongoing threat posed by both new and older vulnerabilities. It serves as a reminder of the importance of timely patching and robust security practices to mitigate the risk of exploitation.