HPE Releases Security Patches for Vulnerabilities in StoreOnce
Hewlett Packard Enterprise (HPE) has taken proactive steps to address significant vulnerabilities in its StoreOnce data backup and deduplication solution. The recent updates tackle multiple issues that could potentially lead to serious security breaches, such as authentication bypass and remote code execution.
Understanding the Vulnerabilities
In total, HPE has identified and patched eight vulnerabilities within StoreOnce. According to the advisory released by the company, these issues could potentially allow unauthorized access to systems, enabling remote code execution, server-side request forgery, arbitrary file deletion, and disclosure of sensitive information. The critical vulnerability, tracked as CVE-2025-37093, has a staggering CVSS score of 9.8, indicating its severity.
The CVE-2025-37093 flaw relates to an authentication bypass affecting all software versions prior to 4.3.11. HPE was first informed of this critical vulnerability on October 31, 2024. As a result, they have rolled out fixes to strengthen the system against potential attacks.
The Root Cause
The Zero Day Initiative (ZDI), which credited an anonymous researcher for identifying the flaws, highlighted that the vulnerabilities stem from the improper implementation of the machineAccountCheck method. ZDI noted that the flawed authentication algorithm enables attackers to circumvent the authentication process entirely.
This lapse opens the door for remote attackers to exploit the system, allowing them to bypass authentication completely. Moreover, the nature of the vulnerability makes it particularly dangerous as it can be combined with other weaknesses to execute arbitrary code, leak information, or delete files at the root level.
Additional Vulnerabilities Identified
The list of vulnerabilities patched alongside CVE-2025-37093 includes:
- CVE-2025-37089 – Remote Code Execution
- CVE-2025-37090 – Server-Side Request Forgery
- CVE-2025-37091 – Remote Code Execution
- CVE-2025-37092 – Remote Code Execution
- CVE-2025-37094 – Directory Traversal with Arbitrary File Deletion
- CVE-2025-37095 – Directory Traversal for Information Disclosure
- CVE-2025-37096 – Remote Code Execution
Each of these vulnerabilities poses significant risks, revealing the need for prompt action to mitigate potential threats.
Broader Security Measures
The urgency of these updates coincides with HPE’s release of patches for other critical vulnerabilities within its product suite. This includes serious flaws in HPE Telco Service Orchestrator (CVE-2025-31651, CVSS score: 9.8) and OneView (CVE-2024-38475 and CVE-2024-38476, both with CVSS scores of 9.8). These patches address previous weaknesses identified in Apache Tomcat and the Apache HTTP Server.
While there are currently no reports indicating that these vulnerabilities have been actively exploited in the wild, users are strongly encouraged to apply the most recent updates. Doing so is vital for maintaining security and protecting sensitive data stored within their systems.
Conclusion
As cyber threats continue to evolve, the importance of timely software updates cannot be overstated. HPE’s recent release of security patches underscores the company’s commitment to safeguarding its users from potential vulnerabilities. By staying informed and applying updates promptly, users enhance their own cybersecurity measures and contribute to a more secure digital landscape.
