Security Advisory: Vulnerabilities in HPE StoreOnce
Hewlett Packard Enterprise (HPE) has recently issued a significant security advisory concerning eight vulnerabilities found in its StoreOnce data backup and deduplication platform. Understanding these vulnerabilities is crucial for organizations relying on this platform, as they pose a serious risk to system integrity and data security.
Overview of Vulnerabilities
Among the identified vulnerabilities, the most critical is an authentication bypass, designated CVE-2025-37093. This vulnerability carries a near-maximum CVSS score of 9.8, highlighting its severity. The advisory specifically notes that multiple versions of the StoreOnce Virtual Storage Appliance (VSA), especially those released prior to version 4.3.11, are vulnerable to various remote exploitation risks.
Key Risks
The vulnerabilities outlined in the advisory include:
- Remote Code Execution (RCE)
- Server-Side Request Forgery (SSRF)
- Arbitrary File Deletion
- Information Disclosure
- Directory Traversal
- Authentication Bypass
Such vulnerabilities could enable unauthorized access, remote code execution, and various forms of data manipulation, raising serious security concerns for affected systems.
Spotlight on CVE-2025-37093
CVE-2025-37093 is particularly alarming due to its potential impact. This flaw allows unauthenticated attackers to bypass authentication mechanisms, granting unauthorized access to sensitive systems.
Reported by an anonymous researcher in collaboration with the Trend Micro Zero Day Initiative (ZDI) on October 31, 2024, this vulnerability was identified as ZDI-CAN-24985 and has since been addressed in the updated software.
The CVSS vector for this vulnerability—AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H—underscores its critical nature, showing that it requires minimal effort to exploit and does not necessitate user interaction.
Full List of Vulnerabilities
In addition to the pressing concern of CVE-2025-37093, the advisory details several other vulnerabilities, each varying in severity:
- CVE-2025-37089 (ZDI-CAN-24981) – Remote Code Execution (CVSS: 7.2)
- CVE-2025-37090 (ZDI-CAN-24982) – Server-Side Request Forgery (CVSS: 5.3)
- CVE-2025-37091 (ZDI-CAN-24983) – Remote Code Execution (CVSS: 7.2)
- CVE-2025-37092 (ZDI-CAN-24984) – Remote Code Execution (CVSS: 7.2)
- CVE-2025-37094 (ZDI-CAN-25314) – Directory Traversal / Arbitrary File Deletion (CVSS: 5.5)
- CVE-2025-37095 (ZDI-CAN-25315) – Directory Traversal / Information Disclosure (CVSS: 4.9)
- CVE-2025-37096 (ZDI-CAN-25316) – Remote Code Execution (CVSS: 7.2)
Among these, CVE-2025-37093 demands immediate attention due to its significant risk of granting full access to systems without requiring credentials.
Who Is Affected and Mitigation Strategies
The vulnerabilities predominantly affect systems running HPE StoreOnce VSA software versions earlier than 4.3.11. Organizations using these versions are strongly advised to upgrade to the patched version, which includes fixes for all eight identified vulnerabilities.
While HPE has made updates accessible via the HPE Support Center, it is important for organizations to follow their internal patch management procedures to effectively apply third-party patches.
Conclusion
The disclosure of multiple vulnerabilities in HPE’s StoreOnce software, particularly the critical authentication bypass flaw CVE-2025-37093, highlights the urgent need for organizations to bolster their security strategies. As attackers increasingly target backup infrastructure for network infiltration or disruption of recovery efforts, unpatched StoreOnce deployments are at heightened risk.
Timely action to upgrade to the patched version of the software is not just advisable—it is essential for protecting sensitive data and reinforcing operational resilience. Organizations must prioritize system updates to mitigate potential risks posed by these vulnerabilities.
