CVE-2025-37094 is a directory traversal vulnerability identified in Hewlett Packard Enterprise's (HPE) StoreOnce Software. This vulnerability allows an authenticated user with high privileges (PR:H) to perform arbitrary file deletion on the system by exploiting improper validation of file path inputs. Specifically, the flaw is categorized under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), which means that the software fails to properly sanitize or restrict file path parameters, enabling traversal outside the intended directories. The vulnerability does not require user interaction (UI:N) and can be exploited remotely over the network (AV:N). The impact primarily affects the integrity and availability of the system, as attackers can delete critical files, potentially causing data loss or service disruption. The CVSS v3.1 base score is 5.5, indicating a medium severity level. The scope is unchanged (S:U), meaning the vulnerability affects resources managed by the same security authority. No known exploits are currently reported in the wild, and no patches have been linked yet. The affected product, HPE StoreOnce Software, is a data backup and deduplication solution widely used in enterprise environments to optimize storage and backup efficiency. Given the nature of the vulnerability, successful exploitation could disrupt backup operations, leading to potential data recovery challenges and operational downtime.

For European organizations, the impact of this vulnerability can be significant, especially for enterprises relying on HPE StoreOnce for critical backup and disaster recovery processes. The arbitrary file deletion capability can lead to loss of backup data integrity and availability, undermining the reliability of backup systems. This could result in extended downtime during recovery efforts, increased risk of data loss, and potential compliance violations under regulations such as GDPR if backup data is compromised or lost. Organizations in sectors with stringent data protection requirements, such as finance, healthcare, and government, may face amplified risks. Additionally, disruption to backup infrastructure can affect business continuity and operational resilience. Although exploitation requires high privileges, insider threats or compromised administrative accounts could leverage this vulnerability to cause damage. The lack of known exploits in the wild provides a window for proactive mitigation, but the medium severity score indicates that organizations should prioritize remediation to prevent potential exploitation.

To mitigate this vulnerability, European organizations should first verify and restrict administrative access to HPE StoreOnce Software, ensuring that only trusted personnel have high privilege accounts. Implement strict access controls and monitor administrative activities for suspicious behavior. Since no official patch is currently available, organizations should engage with HPE support to obtain guidance on interim fixes or workarounds. Network segmentation can be employed to isolate backup infrastructure from general network access, reducing exposure to remote attacks. Regularly audit and validate backup integrity to detect any unauthorized file deletions promptly. Employ robust logging and alerting mechanisms to identify anomalous file system activities related to StoreOnce. Additionally, organizations should prepare incident response plans specific to backup infrastructure compromise. Once patches become available, prioritize timely deployment after testing in controlled environments. Finally, consider deploying application-layer firewalls or intrusion prevention systems capable of detecting and blocking directory traversal attempts targeting StoreOnce interfaces.