.webp?w=696&resize=696,0&ssl=1 "HPE StoreOnce Flaws")
Hewlett Packard Enterprise (HPE) has issued a critical security bulletin revealing multiple severe vulnerabilities in its StoreOnce Software, which could allow attackers to remotely execute malicious code, bypass authentication, disclose sensitive information, and perform unauthorized file operations.
These flaws affect HPE StoreOnce Virtual Storage Appliance (VSA) versions prior to 4.3.11, potentially exposing enterprise data backup and deduplication environments to significant risk.
Technical Overview
The security advisory details eight distinct vulnerabilities that collectively present a dangerous attack surface for remote exploitation.
Notably, several of these are Remote Code Execution (RCE) vulnerabilities with high severity CVSS scores of 7.2, and an alarming Authentication Bypass vulnerability carrying an exceptionally high CVSS score of 9.8.
Key Vulnerabilities and CVSS Scores
| CVE Identifier | Vulnerability Type | Attack Vector | Privileges Required | User Interaction | CVSS v3.1 Base Score |
|---|---|---|---|---|---|
| CVE-2025-37089 | Remote Code Execution | Network | High | None | 7.2 |
| CVE-2025-37090 | Server-Side Request Forgery | Network | None | None | 5.3 |
| CVE-2025-37091 | Remote Code Execution | Network | High | None | 7.2 |
| CVE-2025-37092 | Remote Code Execution | Network | High | None | 7.2 |
| CVE-2025-37093 | Authentication Bypass | Network | None | None | 9.8 |
| CVE-2025-37094 | Arbitrary File Deletion | Network | High | None | 5.5 |
| CVE-2025-37095 | Directory Traversal Info Disclosure | Network | High | None | 4.9 |
| CVE-2025-37096 | Remote Code Execution | Network | High | None | 7.2 |
Among these, the authentication bypass vulnerability (CVE-2025-37093) is particularly concerning. It allows attackers to completely circumvent authentication controls remotely without any user interaction, granting them full control over the affected systems.
This dramatically increases the risk of large-scale exploits within compromised network environments.
Vulnerability Descriptions
Remote Code Execution (RCE): Attackers can execute arbitrary code remotely with elevated privileges, potentially installing malware, disrupting services, or stealing sensitive data.
Server-Side Request Forgery (SSRF): Enables attackers to craft malicious requests that the affected server executes, potentially leading to further internal network compromise.
Authentication Bypass: This flaw allows attackers to bypass all authentication mechanisms, gaining unauthorized access.
Directory Traversal and Arbitrary File Deletion: Attackers can manipulate file system paths to access restricted files or delete critical data, degrading system integrity.
Information Disclosure: Unauthorized access to sensitive configuration or backup data that could aid in subsequent attacks.
Impact and Recommended Mitigation
The vulnerabilities affect HPE StoreOnce VSA versions prior to 4.3.11, a widely used solution for backup and data deduplication in enterprise environments.
Given the critical nature of StoreOnce in protecting business continuity, exploitation of these flaws could lead to devastating data loss, ransomware deployment, or unauthorized data exfiltration.
Immediate Actions for Enterprises
- Upgrade to StoreOnce Software v4.3.11 or Later:
HPE has released patches to fully remediate these vulnerabilities. Users should immediately download and deploy the latest version from the HPE Support Center. - Update Patch Management Policies:
Incorporate these fixes promptly within your organization’s security patch lifecycle to reduce exposure time. - Review Network Access Controls:
Restrict external access to StoreOnce appliances wherever possible to minimize attack surface. - Monitor for Suspicious Activity:
Implement enhanced logging and intrusion detection for unusual access or command execution attempts.
Example: Secure Upgrade Check Script Snippet
bash#!/bin/bash
# Simple check for StoreOnce software version on Linux-based systems
current_version=$(storeonce --version)
required_version="4.3.11"
if [[ "$current_version" < "$required_version" ]]; then
echo "Urgent: Your StoreOnce version ($current_version) is vulnerable. Please upgrade to $required_version or later."
else
echo "Your StoreOnce version ($current_version) is up to date and secure."
fi
HPE acknowledges anonymous researchers working with Trend Micro’s Zero Day Initiative for responsibly disclosing these vulnerabilities. Customers are encouraged to report any potential security issues to HPE via:
- Email: security-alert@hpe.com
- Reporting Form: https://www.hpe.com/info/report-security-vulnerability
Further details on HPE’s security policies and bulletin archives are available on their official site.
The uncovered vulnerabilities in HPE StoreOnce software represent a critical threat to enterprise data integrity and operational security.
Organizations leveraging these backup appliances must act without delay to apply vendor patches and harden their environments against remote code execution and authentication bypass attacks.
Proactive security management remains essential to protect sensitive information and ensure resilient IT infrastructure.
.webp?resize=1600,900&ssl=1&description=HPE StoreOnce Flaws - Hewlett Packard Enterprise (HPE) has issued a critical security bulletin revealing multiple severe vulnerabilities.){kind=link}