Weekly Threat Report: CISA’s Latest KEV Updates Signal Elevated Risk for Infrastructure, Office, and Legacy Systems

In the first week of 2026, cybersecurity teams received a clear warning: attackers aren’t waiting. Threat actors continue to exploit outdated and overlooked systems, while critical infrastructure grows into an even higher-value target. CISA KEV Known Exploited Vulnerabilities (KEV) catalog expanded by nearly 20 percent in 2025, and the latest additions highlight a troubling trend. Several newly listed vulnerabilities demonstrate how quickly unpatched systems are being weaponized, including:

• A maximum-severity remote code execution (RCE) vulnerability in HPE OneView that is now confirmed as actively exploited
• A Microsoft Office PowerPoint flaw from 2009 that is still delivering successful attack payloads
• 139 GB of stolen engineering and utility project data reportedly offered for sale on underground marketplaces
  

Each of these entries in the CISA KEV catalog targets technologies that support infrastructure operations, and they succeed for one primary reason: patching continues to lag behind exploitation.

Below, we break down what these CISA KEV updates mean and what security leaders need to prioritize now.

1. Critical HPE OneView Vulnerability Now Exploited (CVSS 10.0)

CVE-2025-37164, a maximum-severity remote code execution (RCE) vulnerability in HPE OneView, was added to the CISA KEV catalog this week. This inclusion is more than procedural, it confirms active, real-world exploitation and significantly raises the urgency for remediation.

Why this matters:
HPE OneView is an infrastructure automation and management platform widely used across large enterprises and government environments. It centralizes control of servers, storage, and networking. Successful exploitation could grant attackers privileged access to the systems responsible for managing an organization’s core infrastructure.

What makes this vulnerability different:

• CVSS 10.0 severity: The highest possible risk rating
• Confirmed exploitation: Attackers are acting faster than traditional patch cycles
• High blast radius: Compromising a centralized management platform can result in widespread control loss

What security teams should do now:

• Apply vendor-issued patches for HPE OneView immediately
• Verify that management interfaces are not internet-exposed
• Review logs for unauthorized API activity or suspicious authentication attempts
  

Infrastructure management platforms are becoming increasingly attractive targets, particularly when they are exposed to the internet or accessible through APIs. The speed at which this vulnerability moved into the CISA KEV list reinforces a critical reality: internal tools now require external-grade security controls.

2. 2009 PowerPoint Vulnerability Proves Old Bugs Still Bite

CISA recently added a 2009 Microsoft Office PowerPoint vulnerability to its KEV catalog, highlighting a striking reality: attackers are still successfully exploiting a 15-year-old flaw in active campaigns.

Why this vulnerability remains effective:

• Patching gaps persist in large, distributed Office deployments
• Email-based delivery continues to be a reliable attack vector
• Limited visibility into legacy file execution on endpoints
  

Key takeaway: Attackers don’t always need zero-day exploits. They exploit known, unpatched vulnerabilities, particularly in environments with broad user access and weak endpoint controls.

Recommended actions for security teams:

• Audit and enforce Office patching across all systems, not just desktops
• Strengthen email and attachment controls, especially for older file formats
• Enable Protected View and restrict macro or embedded content execution
• Implement endpoint controls that detect and block legacy exploit behavior
  

Organizations with mature security programs don’t just respond to emerging threats, they eliminate legacy exposure that attackers rely on. This is a critical step in reducing overall risk and staying ahead of the CISA KEV threat landscape.

3. KEV Growth in 2025: A 20% Spike in Known Exploits

The HPE and Microsoft vulnerabilities are part of a broader, concerning trend. In 2025 alone, CISA added 245 vulnerabilities to its KEV catalog, bringing the total number of entries to approximately 1,484. Among these, 24 were linked to ransomware exploitation, underscoring how attackers continue to leverage known vulnerabilities to scale access and impact.

Why this matters:

• KEV reflects real-world exploitation, not theoretical risk
• Relying only on CVSS scores or generic patch schedules is no longer sufficient
• Effective vulnerability management must be risk-based and context-aware, focusing on actual threats

Actionable recommendations for security teams:

• Align patch SLAs with KEV priorities, treat “known exploited” vulnerabilities as critical
• Prioritize patching for internet-facing systems, remote code execution (RCE) flaws, and authentication vulnerabilities
• Leverage KEV entries for executive reporting on patch program health
  

By incorporating CISA KEV intelligence into your vulnerability management program, organizations can answer the most important question first: “Is this being actively exploited right now?

4. Engineering Data Breach Highlights Utility Sector Risk

In another example of operational targets under attack, threat actors reportedly stole and offered 139 GB of engineering data for sale, including LiDAR point clouds, orthophotos, and infrastructure design files connected to U.S. utilities.

Even if the full scope of the breach is not yet verified, the trend is clear: attackers are increasingly targeting operational and engineering assets for data extortion, moving beyond traditional customer or financial data attacks.

Why this matters:

• Design and mapping data can be leveraged for physical or digital targeting of critical infrastructure
• Vendor ecosystems often introduce indirect exposure to sensitive operational systems
• Data theft without ransomware is rising, steal now, extort later

Mitigation strategies for security teams:

• Audit all locations of engineering and utility data, including cloud shares, project folders, and legacy systems
• Enforce least-privilege access and monitor for data exfiltration behaviors
• Implement DLP and anomaly detection specifically for operational files
• Strengthen vendor risk management, as threat actors often pivot through supply chains
  

In critical infrastructure-adjacent environments, sensitive data is often the primary vulnerability. Many organizations are still underestimating this risk, and the CISA KEV catalog reinforces why vigilance across both vulnerabilities and operational data is essential.

Final Thoughts: Clarity in Complexity Starts with Real-World Risk

From a zero-day in infrastructure software to a 15-year-old Microsoft Office flaw still delivering malware, the latest CISA KEV entries tell a clear story: attackers don’t need innovation, they rely on inaction. Security teams that focus solely on severity scores risk missing what KEV makes unambiguously clear: exploited vulnerabilities require immediate attention.

By aligning your vulnerability management, patch strategy, and detection controls with real-world exploitation signals, your organization shifts from reactive security to resilient defense.

Take action now:

• Evaluate your patching and detection programs against CISA KEV intelligence
• Prioritize vulnerabilities that are actively exploited in the wild
• Build executive reporting around KEV-aligned risk metrics
  

Need help building a KEV-aligned risk strategy? Contact RSI Security today to strengthen defenses where it matters most, against the threats that are active right now.

Download Our Cybersecurity Checklist