CVE-2025-37095 is a directory traversal vulnerability identified in Hewlett Packard Enterprise's (HPE) StoreOnce Software. This vulnerability allows an attacker with high privileges (PR:H) to perform directory traversal attacks, potentially leading to unauthorized disclosure of sensitive information stored on the system. The vulnerability is classified under CWE-22, which involves improper sanitization of file path inputs, enabling attackers to access files and directories outside the intended scope. The CVSS 4.0 base score is 5.9, indicating a medium severity level. The attack vector is network-based (AV:N), with low attack complexity (AC:L), but requires high privileges and no user interaction. The vulnerability impacts confidentiality (VC:H) but does not affect integrity or availability. No known exploits are currently reported in the wild, and no patches have been linked yet. The affected version is listed as '0', which likely indicates an unspecified or initial version of the software. StoreOnce Software is used primarily for backup and data deduplication solutions, often deployed in enterprise environments to optimize storage and data protection workflows.

For European organizations, this vulnerability poses a risk of unauthorized information disclosure within backup infrastructure environments. Since StoreOnce Software manages backup data, exploitation could lead to exposure of sensitive corporate or customer data, potentially violating data protection regulations such as GDPR. The requirement for high privileges limits the attack surface to insiders or attackers who have already compromised administrative credentials, but once exploited, the confidentiality breach could be significant. This could undermine trust in backup integrity and lead to compliance issues, financial penalties, and reputational damage. Organizations relying heavily on HPE StoreOnce for critical backup operations may face increased risk if this vulnerability is exploited, especially in sectors with stringent data privacy requirements such as finance, healthcare, and government.

Given the absence of an official patch at this time, European organizations should implement compensating controls immediately. These include restricting administrative access to StoreOnce management interfaces through network segmentation and strict access control lists (ACLs), enforcing multi-factor authentication (MFA) for all privileged accounts, and monitoring logs for unusual directory access patterns indicative of traversal attempts. Regular audits of user privileges should be conducted to minimize the number of high-privilege accounts. Additionally, organizations should prepare for rapid deployment of patches once available by maintaining an up-to-date asset inventory and testing patch deployment procedures in advance. Employing intrusion detection systems (IDS) with signatures or heuristics for directory traversal attempts can provide early warning. Finally, encrypting backup data at rest and in transit can reduce the impact of potential data disclosure.