Hewlett Packard Enterprise (HPE) has released security updates for multiple vulnerabilities in its StoreOnce software, including a critical authentication bypass flaw.
StoreOnce is HPE’s secondary storage solution designed for data protection, backup, deduplication, and copy management. The software is available as both a physical appliance and a virtual version known as StoreOnce VSA.
The most serious flaw, tracked as CVE-2025-37093 with a CVSS score of 9.8, stems from a flaw in the machineAccountCheck method. According to the Zero Day Initiative (ZDI), the issue arises from a flawed authentication algorithm, allowing attackers to bypass system authentication.
Although there is no indication that this vulnerability has been exploited in the wild, security firm Arctic Wolf cautions that backup systems are common targets. They note that no public proof-of-concept is available at this time, but threat actors could move quickly to exploit the flaw.
HPE has fixed the vulnerability in StoreOnce version 4.3.11. This update also patches seven additional security issues, including four high-severity remote code execution (RCE) flaws. While the RCE bugs require authentication to exploit, they could potentially be combined with the authentication bypass to gain full control of affected systems.
Other patched issues include vulnerabilities that could enable server-side request forgery (SSRF), arbitrary file deletion, or data exposure through path traversal. Though these also require authentication, ZDI warns that the critical flaw could render such protections ineffective.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
