Hewlett Packard Enterprise (HPE) has released security updates to address eight vulnerabilities in StoreOnce data backup and deduplication solutions, potentially resulting in authentication bypassing and remote code execution.
“These vulnerabilities could be exploited remotely to allow vulnerabilities in remote code execution, information disclosure, server-side request forgery, authentication bypass, arbitrary file deletion, and directory traversal information,” HPE said in its advisory.
This includes fixes for critical security flaws tracked as CVE-2025-37093, which is rated 9.8 on the CVSS scoring system. It was described as an authentication bypass bug that affects all versions of the software prior to 4.3.11. The vulnerability, along with the rest, was reported to the vendor on October 31, 2024.
According to the Zero Day Initiative (ZDI), anonymous researchers have found and reported the shortcomings, and the issue is rooted in the implementation of the MachineaCcountCheck method.
“This issue is caused by an inappropriate implementation of the authentication algorithm,” ZDI said. “Attackators can exploit this vulnerability to bypass authentication on the system.”
The successful exploitation of CVE-2025-37093 allows remote attackers to bypass authentication on affected installations. What makes the vulnerability even more serious is that it can be chained with the remaining flaws to achieve code execution, information disclosure, and arbitrary file deletion in the context of the root –
- CVE-2025-37089-Remote code execution
- CVE-2025-37090-Server-Side Request Forged
- CVE-2025-37091-Remote code execution
- CVE-2025-37092-Run Remote Code
- CVE-2025-37093-Authentication bypass
- CVE-2025-37094-Directory Traversal Delete any file
- CVE-2025-37095-Directory Traversal Information Disclosure
- CVE-2025-37096-Run Remote Code
HPE also ships patches that address multiple severity defects for HPE Telco Service Orchestrator (CVE-2025-31651, CVSS Score: 9.8) and Oneview (CVE-2024-38475, CVE-2024-38476, CVSS Scores Inn) postponed: 9.8SS scores, as HPE also shipped patches that address multiple severity defects for CVE-2024-38475, CVE-2024-38476 until the advent of 9.8SS scores. Apache HTTP server.
There are no reports of aggressive exploitation, but it is essential that users apply the latest updates for optimal protection.
