- HPE patches eight flaws in StoreOnce platform
- Among the flaws is a critical severity authentication bypass
- There are no workarounds and users are advised to patch up
Hewlett Packard Enterprise (HPE) has revealed patches for a number of dangerous flaws affecting its data backup and recovery solution, StoreOnce, including a critical-severity bug which allows threat actors to gain full access to the vulnerable system without user interaction.
The bug is tracked as CVE-2025-37093, and is described as an authentication bypass flaw stemming from improper authentication handling. It has a severity score of 9.8/10 (critical) and could potentially be abused to compromise system integrity, allow threat actors to access sensitive data, and lead to different disruptions and availability issues.
Crooks could use it to deploy ransomware, steal sensitive data, or move laterally throughout the target network.
Eight flaws patched
In HPE’s advisory, the company said all versions prior to 4.3.11 were vulnerable, and has urged users to update their software as soon as possible.
There are no other mitigations or workarounds, so if you can’t update your instance immediately, it would be best to remove the product until you can patch it.
The issues were reportedly discovered seven months ago but apparently no one abused it in the wild so far.
In total, HPE patched eight flaws this time around. While the authentication bypass is the most severe one, others are potentially dangerous, as well.
Here is a list of other seven flaws HPE fixed in version 4.3.11:
CVE-2025-37089 – Remote Code Execution
CVE-2025-37090 – Server-Side Request Forgery
CVE-2025-37091 – Remote Code Execution
CVE-2025-37092 – Remote Code Execution
CVE-2025-37094 – Directory Traversal Arbitrary File Deletion
CVE-2025-37095 – Directory Traversal Information Disclosure
CVE-2025-37096 – Remote Code Execution
HPE StoreOnce is a disk-based backup and recovery system that uses data deduplication to reduce storage needs.It is usually used by enterprises, government agencies, and mid-sized businesses with complex IT environments.
StoreOnce supports integration with other backup and enterprise software, such as HPE Data Protector, Veeam, Veritas NetBackup, Commvault, and Microsoft Data Protection Manager. It also connects with cloud storage through HPE Cloud Bank Storage.
Via BleepingComputer
Leave a comment