HPE Fixes Critical Flaws in StoreOnce Software

Hewlett Packard Enterprise (HPE) has issued a series of security patches for its StoreOnce data backup and deduplication solution, addressing multiple vulnerabilities that could be exploited by attackers to gain unauthorized access to sensitive data.

The company has released security patches for eight distinct flaws in its StoreOnce software, which can be remotely executed by an attacker. These issues include remote code execution, authentication bypass, data leaks, server-side request forgery, arbitrary file deletion, and directory traversal information disclosure vulnerabilities.

The most severe vulnerability addressed by HPE is an Authentication Bypass issue, tracked as CVE-2025-37093 (CVSS score of 9.8). This flaw impacts all versions prior to 4.3.11 and allows attackers to bypass authentication mechanisms, potentially leading to unauthorized access to sensitive data.

"An authentication bypass vulnerability exists in HPE StoreOnce Software," reads the advisory published by NIST. "This vulnerability can be chained with other flaws addressed by HPE to achieve remote code execution."

Vulnerability Details

• Authentication Bypass (CVE-2025-37093) - CVSS score of 9.8, impacts all versions prior to 4.3.11.
• Remote Code Execution
• Data Leaks
• Server-side Request Forgery
• Arbitrary File Deletion
• Directory Traversal Information Disclosure Vulnerability

HPE has released security patches for the StoreOnce software to address these vulnerabilities and prevent potential attacks.

Note:

Please note that HPE has already issued a notification to its customers, advising them to apply the security patches as soon as possible. It is essential for users of StoreOnce software to take immediate action to protect their data from potential exploitation of these vulnerabilities.