CVE-2025-37091
Published: 02 June 2025
Summary
CVE-2025-37091 is a high-severity Command Injection (CWE-77) vulnerability in Hpe Storeonce System. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 21.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2025-37091 is a command injection remote code execution vulnerability affecting HPE StoreOnce Software. It carries a CVSS 3.1 base score of 7.2 and is classified under CWE-77, indicating improper neutralization of special elements used in a command.
The flaw can be exploited over the network by an authenticated user with high privileges and without user interaction. Successful exploitation grants the attacker full control over confidentiality, integrity, and availability on the affected system.
The primary reference is the HPE security bulletin at https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbst04847en_us&docLocale=en_US, which provides official guidance on patches and mitigation steps for the affected StoreOnce versions.
The associated EPSS score remains low at 0.0116 with no material increase observed since publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-16655
Vulnerability details
A command injection remote code execution vulnerability exists in HPE StoreOnce Software.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.