Listen to this Post
How the CVE Works
CVE-2025-37092 is a critical command injection vulnerability in HPE StoreOnce Software, allowing remote attackers to execute arbitrary commands on the system. The flaw occurs due to improper input validation in a metrics-related function, where user-supplied data is passed directly to a system shell. Attackers can craft malicious requests containing shell metacharacters, leading to unauthorized command execution with elevated privileges. The vulnerability is remotely exploitable without authentication, making it highly dangerous for unpatched systems.
DailyCVE Form
Platform: HPE StoreOnce
Version: Vulnerable versions prior to patch
Vulnerability: Command Injection (RCE)
Severity: Critical
Date: 07/02/2025
Prediction: Patch expected by 08/15/2025
What Undercode Say
Check vulnerable service curl -X GET http://<target>/metrics_endpoint Exploit PoC (simulated) curl -X POST http://<target>/vulnerable_path --data "param=;id"
How Exploit
Attackers send crafted HTTP requests with embedded shell commands to the metrics endpoint, bypassing input filters. Successful exploitation grants full system control.
Protection from this CVE
- Apply HPEβs official patch immediately.
- Restrict network access to StoreOnce management interfaces.
- Implement input validation and command sanitization.
Impact
- Full system compromise via remote code execution.
- Data exfiltration, service disruption, and lateral movement.
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
