CVE-2025-37091 – A command injection vulnerability in HPE StoreO... (How to Fix)

Q: What is the severity of CVE-2025-37091?

CVE-2025-37091 has a CVSS score of 7.2 (HIGH). A command injection vulnerability in HPE StoreOnce Software allows remote attackers to execute arbitrary commands on affected systems. This affects organizations using vulnerable versions of HPE StoreOnce backup appliances. Attackers can gain unauthorized access and potentially compromise the entire backup infrastructure.

📋 TL;DR

A command injection vulnerability in HPE StoreOnce Software allows remote attackers to execute arbitrary commands on affected systems. This affects organizations using vulnerable versions of HPE StoreOnce backup appliances. Attackers can gain unauthorized access and potentially compromise the entire backup infrastructure.

💻 Affected Systems

Products:

HPE StoreOnce Software

Versions: Specific versions not detailed in provided reference; check HPE advisory for exact affected versions

Operating Systems: HPE StoreOnce appliance OS

Default Config Vulnerable: ⚠️ Yes

Notes: Affects HPE StoreOnce backup appliances running vulnerable software versions. Exact version ranges should be verified in the HPE advisory.

📦 What is this software?

Storeonce System by Hpe

View all CVEs affecting Storeonce System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands with system privileges, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Unauthorized command execution leading to data exfiltration, backup corruption, or installation of persistence mechanisms.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent exploitation attempts.

🌐 Internet-Facing: HIGH if exposed to internet without proper firewalling, as remote exploitation is possible.

🏢 Internal Only: HIGH as internal attackers or compromised systems could exploit this vulnerability to gain elevated privileges.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Command injection vulnerabilities typically have low exploitation complexity once details are known. Authentication status unclear from provided information.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check HPE advisory for specific patched versions

Vendor Advisory: https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbst04847en_us&docLocale=en_US

Restart Required: Yes

Instructions:

1. Review HPE advisory for affected versions. 2. Download appropriate patch from HPE support portal. 3. Apply patch following HPE StoreOnce update procedures. 4. Restart appliance as required.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to StoreOnce appliances to only authorized management systems

Access Control Hardening

all

Implement strict authentication and authorization controls for StoreOnce management interfaces

🧯 If You Can't Patch

Implement strict network segmentation to isolate StoreOnce appliances from untrusted networks
Monitor for unusual command execution patterns and unauthorized access attempts

🔍 How to Verify

Check if Vulnerable:

Check StoreOnce software version against HPE advisory. Log into StoreOnce management interface and navigate to System Information.

Check Version:

Check via StoreOnce web interface: System > About, or CLI command varies by version

Verify Fix Applied:

Verify software version matches patched version specified in HPE advisory after applying update.

📡 Detection & Monitoring

Log Indicators:

Unusual command execution patterns in system logs
Unauthorized access attempts to management interfaces
Unexpected process creation

Network Indicators:

Unusual network traffic to/from StoreOnce management ports
Suspicious command strings in network traffic

SIEM Query:

source="storeonce" AND (event_type="command_execution" OR event_type="authentication_failure")

📊 Metadata

CVE ID: CVE-2025-37091

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

EPSS Score: 0.36% exploit probability (57.4th percentile)

Published: June 2, 2025

Last Updated: July 2, 2025

🔗 References

https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbst04847en_us&docLocale=en_US Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-37091, you might also want to check these: