Hewlett Packard Enterprise (HPE) has released a crucial security bulletin addressing eight vulnerabilities that affect its StoreOnce disk-based backup and deduplication solution. The vulnerabilities pose significant risks for users, as one flaw, marked as critical, has a CVSS v3.1 score of 9.8 and can lead to authentication bypass.
The vulnerabilities range from three remote code execution issues to two directory traversal problems and a server-side request forgery fault. The authentication bypass vulnerability, tracked as CVE-2025-37093, has been highlighted as particularly dangerous, as it may enable attackers to exploit the remaining vulnerabilities, thereby posing a greater overall threat.
The flaws were initially disclosed by Zero Day Initiative (ZDI), which reported that the authentication bypass exists within the machineAccountCheck method and results from an inadequate implementation of the authentication algorithm. While CVE-2025-37093 is deemed critical, other flaws such as file deletion and information disclosure also present risks, potentially allowing attackers to obtain sensitive information.
HPE has urged users to upgrade their StoreOnce software to version 4.3.11 to mitigate these vulnerabilities. It is imperative for administrators of affected installations to promptly apply these security updates, as there are no provided workarounds or mitigations available from HPE. The company has noted that, although the vulnerabilities were discovered in October 2024, there have been no reported instances of active exploitation at this time.