1. CISA has added a PowerPoint vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that a long-standing Microsoft PowerPoint code-injection flaw (CVE-2009-0556) is being actively exploited by threat actors in real-world attacks. This designation means there is verified evidence of exploitation — not just theoretical risk.

2. How the vulnerability works
Attackers craft specially designed PowerPoint files that embed malicious data with invalid internal index values (specifically in the OutlineTextRefAtom structure). When a victim opens such a file, this triggers memory corruption, allowing execution of arbitrary code with the user’s privileges.

3. Who is affected
This flaw is in legacy PowerPoint versions — older Office suites such as PowerPoint 2000/2002/2003 and Office 2004 for Mac. These products are long past mainstream support, meaning they no longer receive regular security updates.

4. Real-world exploitation reported
Security reporting indicates that threat actors are already targeting this flaw, including cases observed on macOS systems. Administrators and end users alike are advised to treat this risk seriously.

What You Should Do

• Avoid opening suspicious PowerPoint files, especially from untrusted or unknown sources (the primary exploitation vector).
• Upgrade away from unsupported Office/PowerPoint versions to current, supported releases — legacy versions lack modern security protections.
• Endpoint protection & email filtering: Ensure your security stack is tuned to detect and block malicious attachments and in-memory exploitation behavior.

Why It Matters

• A vulnerability this old being actively exploited underscores the risks of running unsupported and unpatched software.
• Inclusion in CISA’s KEV Catalog usually signals that organizations should prioritize mitigation quickly, particularly for enterprise and federal networks.