HPE Patches Critical Vulnerability in StoreOnce

Hewlett Packard Enterprise (HPE) this week announced fixes for multiple vulnerabilities in StoreOnce software, including a critical flaw leading to authentication bypass.

The StoreOnce software powers HPE’s storage products, which are secondary storage systems that provide data protection, copy management, backup, and deduplication capabilities, to increase efficiency. StoreOnce VSA, a virtual appliance offering the same functionality, is also available.

The critical issue addressed in StoreOnce this week, tracked as CVE-2025-37093 (CVSS score of 9.8), was discovered in the software’s implementation of the machineAccountCheck method.

“The issue results from improper implementation of an authentication algorithm. An attacker can leverage this vulnerability to bypass authentication on the system,” a ZDI advisory reads.

CVE-2025-37093 does not appear to have been exploited in the wild, but it is not uncommon for threat actors to target backup solutions, security firm Arctic Wolf warns.

“Arctic Wolf has not observed any active exploitation of this vulnerability in the wild or any publicly available proof-of-concept (PoC) exploit. However, threat actors may target it in the near future, as backup solutions have been frequent targets in the past,” the company notes.

HPE addressed the bug with the release of StoreOnce version 4.3.11. The update also resolves seven other security defects, including four rated ‘high severity’ that could lead to remote code execution (RCE).

While all four RCE flaws require authentication to be exploited, they could be chained with the critical authentication bypass to fully compromise vulnerable systems.

The remaining vulnerabilities could be exploited to perform server-side request forgery (SSRF) attacks, and to delete arbitrary files or leak data by performing path traversal attacks. Their exploitation requires authentication, but the mechanism can be bypassed, ZDI warns.

Related: HPE Says Personal Information Stolen in 2023 Russian Hack

Related: Dell, HPE, MediaTek Patch Vulnerabilities in Their Products

Related: Vulnerabilities Patched by Juniper, VMware and Zoom

Related: Nvidia Patches Vulnerabilities That Could Let Hackers Exploit AI Services