Hewlett Packard Enterprise (HPE) has issued a safety bulletin to warn about eight vulnerabilities impacting StoreOnce, its disk-based backup and deduplication answer.
Amongst the issues mounted this time is a important severity (CVSS v3.1 rating: 9.8) authentication bypass vulnerability tracked underneath CVE-2025-37093, three distant code execution bugs, two listing traversal issues, and a server-side request forgery concern.
The failings influence all variations of the HPE StoreOnce Software program earlier than v4.3.11, which is now the beneficial improve model.
Here is the entire checklist of the eight vulnerabilities HPE mounted in model 4.3.11:
- CVE-2025-37089 – Distant Code Execution
- CVE-2025-37090 – Server-Aspect Request Forgery
- CVE-2025-37091 – Distant Code Execution
- CVE-2025-37092 – Distant Code Execution
- CVE-2025-37093 – Authentication Bypass
- CVE-2025-37094 – Listing Traversal Arbitrary File Deletion
- CVE-2025-37095 – Listing Traversal Data Disclosure
- CVE-2025-37096 – Distant Code Execution
Not many particulars have been disclosed in regards to the flaws this time.
Nonetheless, Zero Day Initiative (ZDI), which found them, mentions that CVE-2025-37093 exists throughout the implementation of the machineAccountCheck technique, ensuing from improper implementation of an authentication algorithm.
Though CVE-2025-37093 is the one vulnerability rated as important, others nonetheless carry vital dangers even when they’re usually categorized decrease within the severity score.
The ZDI explains that the authentication bypass downside is the important thing to unlocking the potential in all different flaws, so their threat is not remoted.
The examples of CVE-2025-3794 and CVE-2025-37095, two medium-severity file deletion and knowledge disclosure flaws, present that exploitation is virtually simpler than what’s mirrored within the rating.
“This vulnerability permits distant attackers to reveal delicate info on affected installations of Hewlett Packard Enterprise StoreOnce VSA,” explains ZDI.
“Though authentication is required to use this vulnerability, the present authentication mechanism might be bypassed.”
Notably, the issues have been found and reported to HPE in October 2024, with seven full months having handed till fixes lastly turned out there to clients. Nonetheless, there aren’t any stories of lively exploitation.
HPE StoreOnce is often used for backup and restoration in massive enterprises, knowledge facilities, cloud service suppliers, and usually, organizations dealing with massive knowledge or massive virtualized environments.
StoreOnce integrates with backup software program like HPE Information Protector, Veeam, Commvault, and Veritas NetBackup, making certain enterprise continuity and efficient backup administration.
That being mentioned, directors of doubtless impacted environments should take instant motion and apply the out there safety updates to shut the gaps.
HPE has listed no mitigations or workarounds for the eight flaws within the bulletin, so upgrading is the beneficial answer.
Handbook patching is outdated. It is sluggish, error-prone, and difficult to scale.
Be a part of Kandji + Tines on June 4 to see why outdated strategies fall brief. See real-world examples of how fashionable groups use automation to patch quicker, minimize threat, keep compliant, and skip the advanced scripts.
