CVE-2025-37090 is a server-side request forgery (SSRF) vulnerability identified in Hewlett Packard Enterprise's (HPE) StoreOnce Software. SSRF vulnerabilities occur when an attacker can manipulate a server to send unauthorized requests to internal or external systems, potentially bypassing network access controls. In this case, the vulnerability allows an unauthenticated attacker to induce the HPE StoreOnce server to make arbitrary HTTP requests. The CVSS 4.0 base score is 6.9 (medium severity), reflecting that the vulnerability can be exploited remotely without authentication or user interaction, with low complexity and limited impact on confidentiality. The vector indicates no privileges or user interaction are required, and the vulnerability impacts confidentiality only to a limited extent, with no integrity or availability impact. The affected product, HPE StoreOnce Software, is a data backup and deduplication solution widely used in enterprise environments for efficient storage management. The vulnerability could allow attackers to access internal resources or services behind firewalls, potentially leading to information disclosure or further exploitation if combined with other vulnerabilities. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability is categorized under CWE-918, which covers SSRF issues. Given the nature of the vulnerability, attackers could leverage it to scan internal networks, access metadata services, or interact with internal APIs that are otherwise inaccessible externally. This could lead to reconnaissance or indirect attacks on internal infrastructure. However, the lack of integrity or availability impact and the limited confidentiality impact reduce the overall severity compared to more critical SSRF cases.

For European organizations, the impact of CVE-2025-37090 depends largely on the deployment scale of HPE StoreOnce Software within their IT infrastructure. As StoreOnce is commonly used for backup and deduplication, exploitation could expose internal network details or sensitive backup management interfaces, potentially leading to information leakage. This could compromise the confidentiality of backup configurations or metadata, which might contain sensitive organizational information. While direct data corruption or service disruption is unlikely, the SSRF could be a stepping stone for attackers to pivot within the network or access internal services that are otherwise protected. This is particularly concerning for organizations with strict data protection requirements under GDPR, as unauthorized access to internal systems or data could lead to compliance violations and reputational damage. Additionally, the ability to perform SSRF without authentication increases the risk of automated scanning and exploitation attempts. However, the absence of known exploits and the medium severity rating suggest that immediate widespread impact is limited, but organizations should remain vigilant given the potential for chained attacks.

1. Monitor network traffic from HPE StoreOnce servers for unusual outbound requests, especially to internal IP ranges or unexpected external endpoints. 2. Implement strict egress filtering on network devices to restrict the StoreOnce server's ability to initiate arbitrary outbound connections. 3. Apply network segmentation to isolate backup infrastructure from critical internal services to limit the impact of SSRF exploitation. 4. Regularly check for and apply official patches or updates from HPE as they become available for StoreOnce Software. 5. Employ Web Application Firewalls (WAFs) or Intrusion Detection/Prevention Systems (IDS/IPS) with SSRF detection capabilities to identify and block malicious request patterns. 6. Conduct internal security assessments and penetration tests focusing on SSRF vectors within backup and storage management systems. 7. Review and harden StoreOnce configuration settings to minimize exposure of internal services and disable unnecessary features that could be leveraged by SSRF attacks.