Hewlett Packard Enterprise (HPE) has issued a safety bulletin to warn about eight vulnerabilities impacting StoreOnce, its disk-based backup and deduplication answer.
Amongst the issues mounted this time is a vital severity (CVSS v3.1 rating: 9.8) authentication bypass vulnerability tracked underneath CVE-2025-37093, three distant code execution bugs, two listing traversal issues, and a server-side request forgery subject.
The failings impression all variations of the HPE StoreOnce Software program earlier than v4.3.11, which is now the really helpful improve model.
This is the entire record of the eight vulnerabilities HPE mounted in model 4.3.11:
- CVE-2025-37089 – Distant Code Execution
- CVE-2025-37090 – Server-Facet Request Forgery
- CVE-2025-37091 – Distant Code Execution
- CVE-2025-37092 – Distant Code Execution
- CVE-2025-37093 – Authentication Bypass
- CVE-2025-37094 – Listing Traversal Arbitrary File Deletion
- CVE-2025-37095 – Listing Traversal Info Disclosure
- CVE-2025-37096 – Distant Code Execution
Not many particulars have been disclosed concerning the flaws this time.
Nonetheless, Zero Day Initiative (ZDI), which found them, mentions that CVE-2025-37093 exists inside the implementation of the machineAccountCheck technique, ensuing from improper implementation of an authentication algorithm.
Though CVE-2025-37093 is the one vulnerability rated as vital, others nonetheless carry important dangers even when they’re sometimes categorized decrease within the severity ranking.
The ZDI explains that the authentication bypass downside is the important thing to unlocking the potential in all different flaws, so their threat is not remoted.
The examples of CVE-2025-3794 and CVE-2025-37095, two medium-severity file deletion and data disclosure flaws, present that exploitation is virtually simpler than what’s mirrored within the rating.
“This vulnerability permits distant attackers to reveal delicate data on affected installations of Hewlett Packard Enterprise StoreOnce VSA,” explains ZDI.
“Though authentication is required to take advantage of this vulnerability, the prevailing authentication mechanism may be bypassed.”
Notably, the issues have been found and reported to HPE in October 2024, with seven full months having handed till fixes lastly turned accessible to clients. Nonetheless, there are not any stories of lively exploitation.
HPE StoreOnce is usually used for backup and restoration in massive enterprises, knowledge facilities, cloud service suppliers, and usually, organizations dealing with massive knowledge or massive virtualized environments.
StoreOnce integrates with backup software program like HPE Knowledge Protector, Veeam, Commvault, and Veritas NetBackup, guaranteeing enterprise continuity and efficient backup administration.
That being stated, directors of probably impacted environments should take speedy motion and apply the accessible safety updates to shut the gaps.
HPE has listed no mitigations or workarounds for the eight flaws within the bulletin, so upgrading is the really helpful answer.
Guide patching is outdated. It is sluggish, error-prone, and difficult to scale.
Be part of Kandji + Tines on June 4 to see why previous strategies fall brief. See real-world examples of how fashionable groups use automation to patch sooner, minimize threat, keep compliant, and skip the advanced scripts.
