Hewlett-Packard Enterprise (HPE) has issued a critical security bulletin (HPESBST04847 rev. 1) warning users of multiple high-impact vulnerabilities in its StoreOnce Software, specifically affecting versions before 4.3.11.
The vulnerabilities, if exploited, could allow attackers to bypass authentication, execute arbitrary code remotely, perform server-side request forgery (SSRF), delete files, and access sensitive information via directory traversal.
One of the most severe vulnerabilities, tracked as CVE-2025-37093, enables remote attackers to bypass authentication entirely, granting unauthorized access to affected StoreOnce VSA systems.
This flaw, rooted in the improper implementation of the machineAccountCheck method, allows adversaries to gain system-level privileges without any user interaction or credentials.
With a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), it is classified as “critical” and requires immediate attention.
CVEs, Attack Vectors, and Severity
The bulletin identifies eight distinct CVEs, each with specific technical implications.
The following table summarizes the vulnerabilities, their CVSS scores, and potential impacts:
| CVE ID | Attack Type | CVSS v3.1 Vector | Base Score | Potential Impact |
|---|---|---|---|---|
| CVE-2025-37089 | Remote Code Execution | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 7.2 | Full system compromise |
| CVE-2025-37090 | Server-Side Request Forgery | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | 5.3 | SSRF, data exposure |
| CVE-2025-37091 | Remote Code Execution | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 7.2 | Full system compromise |
| CVE-2025-37092 | Remote Code Execution | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 7.2 | Full system compromise |
| CVE-2025-37093 | Authentication Bypass | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 9.8 | Unauthorized access, data loss |
| CVE-2025-37094 | Directory Traversal, Deletion | AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H | 5.5 | Arbitrary file deletion |
| CVE-2025-37095 | Directory Traversal, Info Leak | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N | 4.9 | Information disclosure |
| CVE-2025-37096 | Remote Code Execution | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 7.2 | Full system compromise |
The most critical, CVE-2025-37093, requires no authentication or user interaction, making it highly exploitable over the network.
Attackers can potentially access, modify, or delete sensitive data, disrupt system availability, and compromise the integrity of backup and storage operations.
Other vulnerabilities, such as CVE-2025-37094, enable directory traversal attacks that could result in the deletion of critical files, further threatening data integrity and business continuity.
Mitigation and Recommendations: Patch Now
According to the report, HPE strongly recommends that all customers running StoreOnce Software versions before 4.3.11 upgrade immediately to version 4.3.11 or later, which addresses all identified vulnerabilities.
There are currently no known workarounds for these flaws, making prompt patching essential to prevent exploitation.
Security teams should also:
- Isolate vulnerable StoreOnce systems from untrusted networks until patched.
- Monitor for unauthorized access attempts and unusual activity.
- Apply network segmentation to limit potential lateral movement by attackers.
- Review system management and security procedures regularly to maintain system integrity.
For further assistance, customers are advised to contact HPE support or refer to the official security bulletin (Document ID: hpesbst04847en_us) for detailed remediation steps.
Summary Table: HPE StoreOnce Critical Vulnerabilities
| Affected Product | Impacted Versions | Fixed in Version | Key CVEs (Critical) | Patch Required? |
|---|---|---|---|---|
| HPE StoreOnce VSA | < 4.3.11 | 4.3.11 | CVE-2025-37093, -37094, -37089 | Yes |
Immediate action is required to safeguard enterprise data and maintain operational resilience in the face of these newly disclosed threats.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!