Every so often, you expect some fresh zero-day to pounce out of the shadows and stir up chaos. What you don't expect—at least, if you're not terminally cynical yet—is to see security agencies still screaming about vulnerabilities first spotted when smartphones had keyboards. That's what you're getting this time around: the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has just flagged two bugs, one of which is so ancient the iPhone didn't even exist when it first popped up. Apparently, hackers love vintage software as much as thrift-store junkies.
Microsoft Office PowerPoint: Still Haunting Us From 2009
Let's talk about CVE-2009-0556, the bug haunting Microsoft Office PowerPoint since 2009. That's not a typo. This is a vulnerability that should've gone extinct alongside Clippy. It allows remote attackers to execute arbitrary code via a maliciously crafted PowerPoint file. Basically, if you open the wrong attachment from Cousin Larry, you're cooked. You'd think a twelve-year-old bug wouldn't still matter, but you'd be wrong. Because in boardrooms and small businesses alike, ancient Office versions are still hanging around like a bad cold.
CISA doesn't add vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog just for nostalgia's sake. Make no mistake—active exploitation means that hackers are using this trick, right now, to break into organizations running prehistoric Office installs. If you're still clinging to Office 2007 or 2010 because "it still works," congratulations. You're Public Enemy Number One in every half-competent attacker's playbook.
HPE OneView: A Gaping Hole in IT Infrastructure
Now, onto the slightly less retro—but no less disastrous—HPE OneView vulnerability, CVE-2025-37164. OneView is the tool companies use to manage their data center hardware. You know, the very tech that's supposed to keep the lights on when your systems get hit. The flaw here lets unauthenticated attackers—read: anyone on the internet—run any code they want. Imagine a burglar walking in, finding your keys on the door, and helping themselves to your entire house.
This vulnerability got disclosed in December 2025 (if you believe HPE's cautious optimism about patch timelines), and yes, there are hotfixes for OneView 5.20 through 10. But there's a chasm between release notes and actual updates in the wild. CISA's warning is blunt: criminals aren't waiting around for you to patch. They're already inside, poking around, and writing their own rules on your infrastructure.
Nostalgia Is the Enemy of Security
Patching old software isn't glamorous. It's the digital equivalent of flossing: everyone knows it's essential, almost no one does it consistently, and ignoring it always comes back to bite you. Too many organizations can't—or won't—ditch legacy Office installs, maybe because of ancient macros or proprietary templates. The excuses don't matter. What counts is that those obsolete Office files are time bombs waiting to go off.
Same deal with infrastructure tools like HPE OneView. There's an unspoken rule in enterprise IT: "If it just sits there quietly running, don't touch it." Except, the quieter the system, the longer it's gone unpatched and forgotten, and the juicier a target it becomes. Hackers know this. Security agencies know this. But inertia rules—right up until ransomware locks down your entire operations.
Patch Management: Still a Shambles
The cybersecurity echo chamber loves to hammer a single point: patch your software. Great advice, sure. But here's what never gets enough air time: patch management across sprawling enterprise fleets is a logistical nightmare. Thanks to shadow IT, homegrown solutions, and business-critical applications glued to that one specific Office version, even knowing what to patch can feel Sisyphean.
- Scheduling downtime is a headache.
- Asset inventories are rarely up to date.
- Legacy systems are mission-critical (until they're suddenly mission-fatal).
It's not that IT teams don't want to patch. It's that every patch can break something important, especially when your business has glued together a Frankenstein of old apps and reluctant workarounds. But here's the truth: cybercriminals aren't waiting for you to finish your risk analysis. They're farming mass-scan tools, dumping exploits into automation kits, and laughing every time you postpone an upgrade.
Why Do Old Bugs Keep Coming Back?
No matter how much vendors trumpet "End of Support" deadlines, legacy software refuses to die. It's locked into workflows, walled gardens of compliance, or simply held hostage by outdated business logic. Microsoft and HPE can drop patches, issue hotfixes, or yell from the rooftops, but it all amounts to nothing if an organization prefers not to touch systems that seem stable enough.
At this point, the attackers aren't even particularly clever. They're scouring the web for known-vulnerable systems and hitting them with stale exploits that've been quietly sitting in toolkits since Obama was President. This is why a 2009 Office bug makes CISA's "actively exploited" list sixteen years later. And why some sysadmin, somewhere, is probably copying and pasting hotfix instructions from a PDF while attackers are already writing to disk.
What Should You Be Doing About All This?
The guidance hasn't changed in a decade, because the threats haven't either. Here's the key advice, even if it's tedious and repetitive:
- Stop using unsupported software — period.
- Schedule regular, non-negotiable patch cycles.
- Audit your inventory obsessively.
- Monitor for strange behavior, not just known threats.
- Brace for the day one of your "stable" systems caves in.
Compliance won't save you. Hoping that attackers have moved on to shinier bugs is a fantasy. The evidence—straight from CISA—says that they haven't stopped exploiting the oldies, because those are still what works.
So if your business is one of those still running bookings on ancient Office installations or trusting your core to unpatched infrastructure tools, here's your wake-up call: Hackers read KEV catalogs, too, and they're far better at keeping up than the average Fortune 500. Feel free to ignore the warnings, but don't act surprised when you land in the next breach headline.
