Hewlett Packard Enterprise (HPE) has launched security updates to deal with as many as eight vulnerabilities in its StoreOnce knowledge backup and deduplication resolution that might lead to an authentication bypass and distant code execution.
“These vulnerabilities may very well be remotely exploited to permit distant code execution, disclosure of knowledge, server-side request forgery, authentication bypass, arbitrary file deletion, and listing traversal data disclosure vulnerabilities,” HPE stated in an advisory.
This features a repair for a important security flaw tracked as CVE-2025-37093, which is rated 9.8 on the CVSS scoring system. It has been described as an authentication bypass bug affecting all variations of the software program previous to 4.3.11. The vulnerability, together with the remainder, was reported to the seller on October 31, 2024.
Based on the Zero Day Initiative (ZDI), which credited an nameless researcher for locating and reporting the shortcoming, stated the issue is rooted within the implementation of the machineAccountCheck methodology.
“The difficulty outcomes from improper implementation of an authentication algorithm,” ZDI stated. “An attacker can leverage this vulnerability to bypass authentication on the system.”
Profitable exploitation of CVE-2025-37093 might allow a distant attacker to bypass authentication on affected installations. What makes the vulnerability extra extreme is that it may very well be chained with the remaining flaws to realize code execution, data disclosure, and arbitrary file deletion within the context of root –
- CVE-2025-37089 – Distant Code Execution
- CVE-2025-37090 – Server-Facet Request Forgery
- CVE-2025-37091 – Distant Code Execution
- CVE-2025-37092 – Distant Code Execution
- CVE-2025-37093 – Authentication Bypass
- CVE-2025-37094 – Listing Traversal Arbitrary File Deletion
- CVE-2025-37095 – Listing Traversal Info Disclosure
- CVE-2025-37096 – Distant Code Execution
The disclosure comes as HPE additionally shipped patches to deal with a number of critical-severity flaws in HPE Telco Service Orchestrator (CVE-2025-31651, CVSS rating: 9.8) and OneView (CVE-2024-38475, CVE-2024-38476, CVSS scores: 9.8) to deal with beforehand disclosed weaknesses in Apache Tomcat and Apache HTTP Server.
Whereas there are not any stories of lively exploitation, it is important that customers apply the newest updates for optimum safety.
