Full Report
Multiple Vulnerabilities have been discovered in HPE StoreOnce Software, which when chained together could allow for remote code execution, potentially leading to session hijacking and full system compromise. HPE StoreOnce is a data protection platform from Hewlett Packard Enterprise that uses deduplication to reduce backup storage requirements and improve backup and recovery speeds. Successful exploitation of these vulnerabilities could allow remote code execution, disclosure of information, server-side request forgery, authentication bypass, arbitrary file deletion, and directory traversal information disclosure.
Analysis Summary
# Vulnerability: Chained Vulnerabilities in HPE StoreOnce Software Leading to RCE
## CVE Details
- CVE ID: CVE-2025-37089, CVE-2025-37091, CVE-2025-37092, CVE-2025-37096 (RCE related); CVE-2025-37090 (SSRF); CVE-2025-37093 (Auth Bypass); CVE-2025-37094 (Arbitrary File Deletion); CVE-2025-37095 (Directory Traversal)
- CVSS Score: Not explicitly provided in the summary, but the cumulative impact suggests **High** severity.
- CWE: Multiple specific CWEs are implied by the vulnerability types (e.g., RCE, SSRF, Auth Bypass).
## Affected Systems
- Products: HPE StoreOnce Software
- Versions: Versions prior to 4.3.11 (or later versions that do not contain the fix).
- Configurations: Not specified, presumed to affect standard deployments.
## Vulnerability Description
Multiple chained vulnerabilities exist within HPE StoreOnce Software that facilitate remote code execution (RCE) upon successful exploitation sequence. These flaws include multiple instances leading to RCE, Server-Side Request Forgery (SSRF), Authentication Bypass, Arbitrary File Deletion, and Directory Traversal leading to Information Disclosure. Chaining these allows an attacker to gain full system compromise and potentially lead to session hijacking.
## Exploitation
- Status: No reports of exploitation in the wild.
- Complexity: Implied to be Medium to High, as multiple vulnerabilities must be chained for RCE.
- Attack Vector: Network (since RCE is possible, suggesting exploitation via public-facing mechanisms, aligning with MITRE Tactic TA0001, Technique T1190: Exploit Public-Facing Application).
## Impact
- Confidentiality: Disclosure of information (High)
- Integrity: Remote Code Execution, Arbitrary File Deletion (High)
- Availability: Full system compromise possible (High)
## Remediation
### Patches
- **Patched Versions:** HPE StoreOnce Software version 4.3.11 or a later, fixed version. Customers should immediately apply updates provided by HPE after testing.
### Workarounds
- No specific workarounds are detailed in the provided text; immediate patching is the primary recommendation.
## Detection
- IOCs are not specified.
- Detection methods involve standard vulnerability scanning (authenticated and unauthenticated) to identify vulnerable software versions and maintaining a robust vulnerability management process (Safeguards 7.4, 7.5).
## References
- Vendor Advisories: [https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbst04847en_us&docLocale=en_US](https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbst04847en_us&docLocale=en_US)
- General CVE Lookup (Defanged):
- CVE-2025-37089: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-37089](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-37089)
- CVE-2025-37090: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-37090](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-37090)
- CVE-2025-37091: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-37091](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-37091)
- CVE-2025-37092: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-37092](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-37092)
- CVE-2025-37093: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-37093](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-37093)
- CVE-2025-37094: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-37094](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-37094)
- CVE-2025-37095: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-37095](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-37095)
- CVE-2025-37096: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-37096](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-37096)