202/68 Thursday, June 5, 2025
Hewlett Packard Enterprise (HPE) has issued a security advisory warning of eight vulnerabilities affecting its StoreOnce data backup and deduplication solution, widely used in enterprise environments. The most critical flaw, CVE-2025-37093 (CVSS 9.8), is an authentication bypass vulnerability caused by a flaw in the machineAccountCheck function. This issue allows attackers to bypass authentication and access other vulnerabilities—such as arbitrary file deletion or data exfiltration (CVE-2025-37094 and CVE-2025-37095)—without logging in.
These vulnerabilities affect StoreOnce versions prior to 4.3.11. HPE strongly recommends updating to version 4.3.11 immediately, as no official mitigation or workaround currently exists.
The full list of vulnerabilities includes:
- CVE-2025-37089 – Remote Code Execution
- CVE-2025-37090 – Server-Side Request Forgery (SSRF)
- CVE-2025-37091 – Remote Code Execution
- CVE-2025-37092 – Remote Code Execution
- CVE-2025-37093 – Authentication Bypass (Critical)
- CVE-2025-37094 – Directory Traversal (File Deletion)
- CVE-2025-37095 – Directory Traversal (Sensitive Data Exposure)
- CVE-2025-37096 – Remote Code Execution
These vulnerabilities were discovered by the Zero Day Initiative (ZDI) in October 2024, but patches were only released in mid-2025. Although there have been no reports of active exploitation, the widespread use of StoreOnce in enterprise data centers and backup infrastructures means that system administrators should prioritize patching to reduce potential risks.
