Hewlett Packard Enterprise (HPE) has issued a security bulletin to warn about eight vulnerabilities impacting StoreOnce, its disk-based backup and deduplication resolution.
Among the many flaws fastened this time is a essential severity (CVSS v3.1 rating: 9.8) authentication bypass vulnerability tracked beneath CVE-2025-37093, three distant code execution bugs, two listing traversal issues, and a server-side request forgery problem.
The failings influence all variations of the HPE StoreOnce Software program earlier than v4.3.11, which is now the really helpful improve model.
This is the whole record of the eight vulnerabilities HPE fastened in model 4.3.11:
- CVE-2025-37089 – Distant Code Execution
- CVE-2025-37090 – Server-Facet Request Forgery
- CVE-2025-37091 – Distant Code Execution
- CVE-2025-37092 – Distant Code Execution
- CVE-2025-37093 – Authentication Bypass
- CVE-2025-37094 – Listing Traversal Arbitrary File Deletion
- CVE-2025-37095 – Listing Traversal Info Disclosure
- CVE-2025-37096 – Distant Code Execution
Not many particulars have been disclosed concerning the flaws this time.
Nonetheless, Zero Day Initiative (ZDI), which found them, mentions that CVE-2025-37093 exists throughout the implementation of the machineAccountCheck technique, ensuing from improper implementation of an authentication algorithm.
Though CVE-2025-37093 is the one vulnerability rated as essential, others nonetheless carry vital dangers even when they’re sometimes categorized decrease within the severity score.
The ZDI explains that the authentication bypass drawback is the important thing to unlocking the potential in all different flaws, so their threat is not remoted.
The examples of CVE-2025-3794 and CVE-2025-37095, two medium-severity file deletion and knowledge disclosure flaws, present that exploitation is virtually simpler than what’s mirrored within the rating.
“This vulnerability permits distant attackers to reveal delicate info on affected installations of Hewlett Packard Enterprise StoreOnce VSA,” explains ZDI.
“Though authentication is required to use this vulnerability, the prevailing authentication mechanism could be bypassed.”
Notably, the issues have been found and reported to HPE in October 2024, with seven full months having handed till fixes lastly grew to become obtainable to prospects. Nonetheless, there are not any stories of energetic exploitation.
HPE StoreOnce is often used for backup and restoration in giant enterprises, information facilities, cloud service suppliers, and customarily, organizations dealing with huge information or giant virtualized environments.
StoreOnce integrates with backup software program like HPE Data Protector, Veeam, Commvault, and Veritas NetBackup, making certain enterprise continuity and efficient backup administration.
That being stated, directors of probably impacted environments should take speedy motion and apply the obtainable security updates to shut the gaps.
HPE has listed no mitigations or workarounds for the eight flaws within the bulletin, so upgrading is the really helpful resolution.
Guide patching is outdated. It is gradual, error-prone, and hard to scale.
Be part of Kandji + Tines on June 4 to see why outdated strategies fall brief. See real-world examples of how trendy groups use automation to patch sooner, reduce threat, keep compliant, and skip the complicated scripts.