Hewlett Packard Enterprise (HPE) has issued a new security advisory addressing eight newly discovered vulnerabilities in its StoreOnce data backup and deduplication platform. Among these, the most severe is an authentication bypass vulnerability tracked as CVE-2025-37093, which carries a near-maximum CVSS score of 9.8, indicating a critical risk to affected systems.
In a security bulletin (document ID: HPESBST04847 rev.1), HPE outlined that multiple versions of its StoreOnce Virtual Storage Appliance (VSA), particularly those prior to version 4.3.11, are vulnerable to a range of remote exploitation risks. These include remote code execution (RCE), server-side request forgery (SSRF), arbitrary file deletion, information disclosure, directory traversal, and authentication bypass.
“These vulnerabilities could be remotely exploited to allow remote code execution, disclosure of information, server-side request forgery, authentication bypass, arbitrary file deletion, and directory traversal information disclosure,” HPE warned in the advisory.
Spotlight on CVE-2025-37093: A Critical StoreOnce Vulnerability
The most concerning among the identified threats is CVE-2025-37093, a critical StoreOnce vulnerability. This flaw affects all software versions prior to 4.3.11 and enables unauthenticated attackers to bypass authentication mechanisms and gain unauthorized access to systems.
HPE stated that this vulnerability was reported on October 31, 2024, by an anonymous researcher in collaboration with the Trend Micro Zero Day Initiative (ZDI). The vulnerability, cataloged under ZDI-CAN-24985, is now patched in the newly released software version.
With a CVSS v3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, the CVE-2025-37093 vulnerability in StoreOnce poses a serious threat due to its low attack complexity and lack of user interaction required.
Full List of Vulnerabilities
Besides CVE-2025-37093, the advisory highlights the following security issues:
- CVE-2025-37089 (ZDI-CAN-24981) – Remote Code Execution (CVSS: 7.2)
- CVE-2025-37090 (ZDI-CAN-24982) – Server-Side Request Forgery (CVSS: 5.3)
- CVE-2025-37091 (ZDI-CAN-24983) – Remote Code Execution (CVSS: 7.2)
- CVE-2025-37092 (ZDI-CAN-24984) – Remote Code Execution (CVSS: 7.2)
- CVE-2025-37094 (ZDI-CAN-25314) – Directory Traversal / Arbitrary File Deletion (CVSS: 5.5)
- CVE-2025-37095 (ZDI-CAN-25315) – Directory Traversal / Information Disclosure (CVSS: 4.9)
- CVE-2025-37096 (ZDI-CAN-25316) – Remote Code Execution (CVSS: 7.2)
Each of these poses various degrees of threat, but it is CVE-2025-37093, the authentication bypass flaw, that requires immediate attention due to its potential to grant full access to unprivileged attackers without requiring credentials.
Who Is Affected and How to Mitigate
Systems running HPE StoreOnce VSA software versions earlier than 4.3.11 are directly impacted. These installations are urged to upgrade to version 4.3.11 or later, which contains the necessary patches to remediate all eight vulnerabilities, including CVE-2025-37093.
While HPE has made the updated software available through the HPE Support Center, organizations are also advised to adhere to their internal patch management protocols when applying third-party patches.
Conclusion
The recent disclosure of multiple vulnerabilities in HPE’s StoreOnce software, most notably the critical authentication bypass flaw tracked as CVE-2025-37093, highlights a pressing security concern for organizations relying on this widely used backup solution. The flaws expose systems to risks such as remote code execution and unauthorized access.
With attackers increasingly targeting backup infrastructure to gain deeper access into networks or sabotage recovery efforts, unpatched StoreOnce deployments present a tempting target. Immediate action to upgrade to the patched version is not just advisable—it’s essential for any organization looking to protect sensitive data and maintain operational resilience.
