CISA Warns of Active Exploits in Microsoft Office and HPE

**CISA Warns of Active Exploits in Microsoft Office and HPE**

**Introduction**

What if your core business operations were compromised—today—due to a Microsoft Office document or a legacy HPE tool you hadn’t thought about in years?

Last week, the Cybersecurity and Infrastructure Security Agency (CISA) added two new high-risk vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, citing ongoing active exploitation. The flaws—one in Microsoft Office (CVE-2023-36884), the other in HPE’s Intelligent Management Center (CVE-2017-9144)—are being actively leveraged by threat actors to gain unauthorized access, bypass security measures, and infiltrate corporate networks. You can read more in the full story from The Hacker News: https://thehackernews.com/2026/01/cisa-flags-microsoft-office-and-hpe.html.

For CISOs, CEOs, and information security leaders, these warnings underscore a persistent reality: No matter how robust your security stack is, threat actors are always probing for missed patches and unmonitored legacy systems.

In this article, we’ll break down:
– What these vulnerabilities are and why they’re dangerous
– How attackers are exploiting them in the wild
– Practical steps you can take now to protect your environment

Let’s dive in before your network ends up on someone else’s target list.

**Understanding the Current Threat Landscape**

Attackers are leaning on old-school tactics with renewed aggression. According to CISA, both CVE-2023-36884 and CVE-2017-9144 are being actively exploited in the wild, indicating that threat actors are targeting common enterprise software with known weaknesses. Let’s unpack what each vulnerability involves.

– CVE-2023-36884: This Microsoft Office and Windows HTML Remote Code Execution (RCE) vulnerability affects how Office handles documents linked to remote content. What’s frightening? No user interaction is needed beyond opening a document.
– CVE-2017-9144: This HPE iMC vulnerability has been known for years but remains unpatched in many aging internal systems. It allows remote code execution via a crafted HTTP request to port 8800.

These are not theoretical flaws—they’ve been weaponized. Microsoft acknowledged exploitation by financially motivated actors aligned with Russian and North Korean interests. Insecure environments running legacy HPE software are also perfect targets for ransomware initial access.

According to IBM’s 2023 Cost of a Data Breach Report:
– 41% of breaches were caused by vulnerabilities that had a patch available.
– The average time to identify and contain a breach was 277 days.

This means your organization could be exposed for months without even knowing it, especially if you’re not actively monitoring KEV-listed CVEs.

**Tactics Attackers Are Using—and Who They’re Targeting**

Threat actors aren’t just targeting governments and critical infrastructure—they’re coming for enterprises of all sizes, especially those with digital sprawl and shadow IT components.

In the case of CVE-2023-36884, attackers have been embedding malicious links in Office documents sent through phishing campaigns. Once opened, these documents can download malware or shellcode without needing macros enabled. Microsoft has traced some of these attacks back to the RomCom hacking group, indicating the use of sophisticated reconnaissance and social engineering tactics.

For CVE-2017-9144, scans on public IP ranges have revealed thousands of exposed HPE iMC systems—most deployed internally by mid-market companies or managed service providers. Attackers are using automated tools to identify these systems and send exploit-rich requests over HTTP. Once inside, they can pivot to other internal assets.

Here’s why this matters:
– Many organizations overlook patching software that isn’t directly internet-facing.
– Perimeter-based detection doesn’t always catch document-based threats.
– Attackers rely on misalignment between IT, security, and business units to find exploitable entry points.

To stay proactive:
– Coordinate with IT to ensure EOL software is documented and, if necessary, segmented or decommissioned.
– Scan internally for outdated systems, especially anything HPE-related deployed pre-2020.
– Educate users: Office-based social engineering attacks are skyrocketing. A well-briefed employee is better than the best spam filter.

**Mitigation Tactics You Can Deploy Today**

Awareness is only part of the battle. Here are specific, actionable steps your security team can take within the next week to reduce exposure to these active threats.

1. **Prioritize Patch Management**
– Patch Microsoft Office to the latest version with mitigations for CVE-2023-36884.
– For systems running HPE Intelligent Management Center, apply vendor patches immediately. If patches aren’t viable due to legacy constraints, isolate or disable the application entirely.

2. **Implement Office File Handling Controls**
– Disable preview pane in email clients.
– Use Defender Application Guard for Office or sandbox environments to open untrusted documents.
– Restrict outbound connections from Office apps to unknown URLs.

3. **Extend Visibility Across Internal Assets**
– Run asset discovery scans to identify services running on legacy ports like 8800, often used by HPE iMC.
– Check logs for unusual Office document behaviors such as dropped payloads or PowerShell activity right after document interaction.

4. **Leverage Threat Intelligence Platforms**
– Integrate KEV Catalog feeds directly into your vulnerability management tools.
– Tune SIEM and XDR rules based on known Indicators of Compromise (IOCs) for both CVEs.

5. **Communicate Across the Business**
– Alert leadership and business units that depend on affected tools.
– Ensure compliance and legal teams are looped in to understand risk exposure (particularly if customer data is involved).

Remember: Attackers operate continuously. Your patch cycle and threat-detection cadence need to match that pace.

**Conclusion**

Cyber threats don’t always knock before entering, especially when the door was left ajar years ago. With CISA flagging active exploitation of vulnerabilities in Microsoft Office and HPE tools, it’s a critical moment for security leaders to act—not just react.

These aren’t cutting-edge zero-days. They’re known flaws—one six years old—and threat actors are still finding success with them. This reinforces a central truth in our field: the fundamentals matter. Enforcing patch hygiene, controlling user behavior, and auditing forgotten systems can easily make the difference between a thwarted attack and a full-scale data breach.

Here’s what you can do now:
– Patch and isolate any systems affected by CVE-2023-36884 and CVE-2017-9144.
– Re-evaluate how your organization handles Office files and internal legacy software.
– Subscribe to CISA KEV updates and incorporate them into your weekly risk reviews.

Security isn’t just about responding to headlines. It’s about making sure your organization is never the subject of one.

For full technical details, visit the source article from The Hacker News: https://thehackernews.com/2026/01/cisa-flags-microsoft-office-and-hpe.html.