Hewlett Packard Enterprise (HPE) has issued a safety bulletin to warn about eight vulnerabilities impacting StoreOnce, its disk-based backup and deduplication resolution.
Amongst the issues fastened this time is a essential severity (CVSS v3.1 rating: 9.8) authentication bypass vulnerability tracked beneath CVE-2025-37093three distant code execution bugs, two listing traversal issues, and a server-side request forgery challenge.
The issues impression all variations of the HPE StoreOnce Software program earlier than v4.3.11, which is now the really useful improve model.
This is the entire checklist of the eight vulnerabilities HPE fastened in model 4.3.11:
CVE-2025-37089 – Distant Code Execution
CVE-2025-37090 – Server-Aspect Request Forgery
CVE-2025-37091 – Distant Code Execution
CVE-2025-37092 – Distant Code Execution
CVE-2025-37093 – Authentication Bypass
CVE-2025-37094 – Listing Traversal Arbitrary File Deletion
CVE-2025-37095 – Listing Traversal Data Disclosure
CVE-2025-37096 – Distant Code Execution
Not many particulars have been disclosed in regards to the flaws this time.
Nevertheless, Zero Day Initiative (ZDI), which found them, mentions that CVE-2025-37093 exists inside the implementation of the machineAccountCheck technique, ensuing from improper implementation of an authentication algorithm.
Though CVE-2025-37093 is the one vulnerability rated as essential, others nonetheless carry vital dangers even when they’re usually categorized decrease within the severity ranking.
The ZDI explains that the authentication bypass drawback is the important thing to unlocking the potential in all different flaws, so their threat is not remoted.
The examples of CVE-2025-3794 and CVE-2025-37095, two medium-severity file deletion and data disclosure flaws, present that exploitation is virtually simpler than what’s mirrored within the rating.
“This vulnerability permits distant attackers to reveal delicate data on affected installations of Hewlett Packard Enterprise StoreOnce VSA,” explains ZDI.
“Though authentication is required to take advantage of this vulnerability, the prevailing authentication mechanism may be bypassed.”
Notably, the issues have been found and reported to HPE in October 2024, with seven full months having handed till fixes lastly grew to become accessible to clients. Nonetheless, there are not any reviews of energetic exploitation.
HPE StoreOnce is often used for backup and restoration in massive enterprises, knowledge facilities, cloud service suppliers, and customarily, organizations dealing with large knowledge or massive virtualized environments.
StoreOnce integrates with backup software program like HPE Knowledge Protector, Veeam, Commvault, and Veritas NetBackup, making certain enterprise continuity and efficient backup administration.
That being stated, directors of probably impacted environments should take quick motion and apply the accessible safety updates to shut the gaps.
HPE has listed no mitigations or workarounds for the eight flaws within the bulletin, so upgrading is the really useful resolution.
Guide patching is outdated. It is gradual, error-prone, and hard to scale.
Be part of Kandji + Tines on June 4 to see why outdated strategies fall brief. See real-world examples of how fashionable groups use automation to patch quicker, lower threat, keep compliant, and skip the complicated scripts.
