Hewlett Packard Enterprise (HPE) has released important security updates to fix eight serious vulnerabilities found in its StoreOnce data backup and deduplication product. One of these bugs, identified as CVE-2025-37093, is especially dangerous, as it allows attackers to bypass authentication and potentially take control of the system remotely.
These security flaws were detailed in an official HPE security advisory, and if left unpatched, could let attackers do the following:
Run malicious code (Remote Code Execution)
Steal sensitive data
Bypass login security
Delete important files
Access unauthorized directories
Perform server-side attacks
Critical Bug Rated 9.8 Out of 10 in Severity
The most severe of these bugs, CVE-2025-37093, has received a CVSS score of 9.8, placing it in the “critical” category. This vulnerability affects all StoreOnce software versions before 4.3.11.
The Zero Day Initiative (ZDI) credited an anonymous cybersecurity researcher for discovering and responsibly reporting this issue to HPE on October 31, 2024.
According to ZDI, the flaw lies in a function called machineAccountCheck, which handles system authentication. The flawed implementation of this feature allows an attacker to bypass authentication without valid credentials.
“The issue results from improper implementation of an authentication algorithm. An attacker can leverage this vulnerability to bypass authentication on the system,” said ZDI.
This means that hackers can potentially log in without any username or password, giving them unauthorized access to the system.
Multiple StoreOnce Vulnerabilities Disclosed
In addition to the authentication bypass flaw, HPE also addressed seven more vulnerabilities, each posing a different type of risk. These bugs can be combined (or chained) by skilled attackers to gain full control over the system, delete files, or access confidential data.
Here’s the full list of the patched vulnerabilities:
CVE-2025-37089 – Remote Code Execution (RCE)
CVE-2025-37090 – Server-Side Request Forgery (SSRF)
CVE-2025-37091 – Remote Code Execution (RCE)
CVE-2025-37092 – Remote Code Execution (RCE)
CVE-2025-37093 – Authentication Bypass (Critical)
CVE-2025-37094 – Directory Traversal + Arbitrary File Deletion
CVE-2025-37095 – Directory Traversal + Information Disclosure
CVE-2025-37096 – Remote Code Execution (RCE)
All of these vulnerabilities can be exploited remotely, meaning that attackers do not need physical access to the device to carry out an attack.
If your organization uses HPE StoreOnce, you should immediately update to version 4.3.11 or newer. Delaying this patch could expose your network to serious threats, including ransomware, data loss, or complete system takeover.
HPE recommends that all users:
Apply the latest security patches
Monitor systems for any unusual activity
Limit network exposure of backup systems
Follow standard cybersecurity best practices
This patch for StoreOnce comes alongside other critical security fixes from HPE. The company also released updates for:
HPE Telco Service Orchestrator
Vulnerability: CVE-2025-31651
Severity: 9.8 (Critical)
Related to: Apache HTTP Server
HPE OneView
Vulnerabilities: CVE-2024-38475 and CVE-2024-38476
Severity: 9.8 (Critical)
Related to: Apache Tomcat & Apache HTTP Server
These bugs in OneView and Telco Service Orchestrator were tied to known weaknesses in third-party open-source components that HPE uses in its software stack. If you’re using any of these products, it’s crucial to review the security advisory and apply patches immediately.
Backup and recovery solutions like StoreOnce are often considered the last line of defense in case of ransomware or cyber incidents. If these systems are compromised, it could mean:
Backup tampering or deletion
Loss of data recoverability
Extended downtime during attacks
Sensitive data leaks
Attackers often target such infrastructure to make recovery difficult, increasing the chances of successful extortion or system sabotage.
The latest vulnerabilities discovered in HPE StoreOnce and other enterprise solutions highlight the ongoing cybersecurity risks in even the most trusted IT systems. Organizations must:
Stay informed about vendor advisories
Apply patches promptly
Regularly audit backup infrastructure
Implement layered defense mechanisms
These steps are essential not just for compliance but for business continuity and data protection.
Interesting Article : CVE-2025-5419, Critical Zero-Day Chrome Flaw Under Active Attack
Pingback: CVE-2025-20286: Cisco ISE Cloud Vulnerability Affects AWS, Azure, and OCI