CVE-2025-37091 is a high-severity remote code execution vulnerability affecting Hewlett Packard Enterprise's (HPE) StoreOnce Software. The vulnerability is classified as a command injection flaw (CWE-77), which allows an attacker with high privileges to execute arbitrary commands on the underlying operating system remotely. The CVSS v3.1 score is 7.2, indicating a high impact on confidentiality, integrity, and availability. The vector string (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) shows that the attack can be performed over the network without user interaction but requires the attacker to have high-level privileges (PR:H). The vulnerability does not require user interaction and affects the confidentiality, integrity, and availability of the system fully. HPE StoreOnce Software is a data protection and backup solution widely used in enterprise environments for efficient backup storage and deduplication. Exploitation of this vulnerability could allow an attacker to execute arbitrary commands, potentially leading to full system compromise, data theft, destruction, or disruption of backup services. Although no known exploits are currently reported in the wild, the vulnerability's nature and impact make it a critical concern for organizations relying on HPE StoreOnce for data protection. The lack of available patches at the time of publication increases the urgency for mitigation and monitoring.

For European organizations, the impact of this vulnerability is significant due to the critical role HPE StoreOnce Software plays in backup and disaster recovery infrastructures. Successful exploitation could lead to unauthorized access to sensitive backup data, data corruption, or complete disruption of backup services, severely affecting business continuity and compliance with data protection regulations such as GDPR. The loss or compromise of backup data could result in extended downtime, financial losses, and reputational damage. Additionally, since backups often contain sensitive or regulated data, a breach could lead to regulatory penalties. The requirement for high privileges to exploit the vulnerability means that insider threats or attackers who have already gained elevated access could leverage this flaw to escalate their control. European organizations with complex IT environments and stringent data protection requirements must prioritize addressing this vulnerability to maintain operational resilience and regulatory compliance.

Given the absence of an official patch at the time of disclosure, European organizations should implement the following specific mitigation strategies: 1) Restrict administrative access to HPE StoreOnce management interfaces strictly to trusted personnel and secure networks using network segmentation and access control lists (ACLs). 2) Employ multi-factor authentication (MFA) for all privileged accounts to reduce the risk of credential compromise. 3) Monitor logs and network traffic for unusual command execution patterns or unauthorized access attempts targeting StoreOnce systems. 4) Temporarily disable or limit remote management capabilities if feasible until a patch is released. 5) Conduct thorough privilege audits to ensure that only necessary users have high-level access to the StoreOnce environment. 6) Prepare for rapid deployment of patches once available by maintaining an up-to-date inventory of affected systems. 7) Consider deploying application-layer firewalls or intrusion prevention systems (IPS) with custom rules to detect and block command injection attempts against StoreOnce interfaces. 8) Educate IT and security teams about the vulnerability specifics to enhance detection and response capabilities.