HPE Issues Critical Security Fixes for StoreOnce Backup Systems

Hewlett Packard Enterprise (HPE) has rolled out urgent security patches to fix eight separate vulnerabilities in its StoreOnce data backup and deduplication platform. These flaws, if left unaddressed, could enable attackers to bypass authentication measures and execute remote code on affected systems.

According to HPE’s official advisory, the vulnerabilities open the door to various attack vectors, including remote code execution (RCE), information leakage, server-side request forgery (SSRF), unauthorized access, file deletion, and directory traversal attacks.

One of the most serious issues, tracked as CVE-2025-37093, holds a critical severity rating of 9.8 on the CVSS scale. This flaw, found in all versions prior to 4.3.11, allows attackers to bypass authentication entirely. Reported on October 31, 2024, the bug was discovered by an anonymous researcher and shared via the Zero Day Initiative (ZDI).

ZDI explained the root of the vulnerability lies in a faulty implementation of the machineAccountCheck method, which fails to correctly validate authentication. If exploited, it can be used by remote attackers to gain unauthorized access and potentially chain with other vulnerabilities to perform further malicious actions like executing code, stealing data, or deleting files — all with root-level privileges.

The list of addressed vulnerabilities includes:

• CVE-2025-37089 – Remote Code Execution

• CVE-2025-37090 – Server-Side Request Forgery

• CVE-2025-37091 – Remote Code Execution

• CVE-2025-37092 – Remote Code Execution

• CVE-2025-37093 – Authentication Bypass

• CVE-2025-37094 – Arbitrary File Deletion via Directory Traversal

• CVE-2025-37095 – Information Disclosure via Directory Traversal

• CVE-2025-37096 – Remote Code Execution

In addition, HPE also released updates for other critical vulnerabilities in its Telco Service Orchestrator (CVE-2025-31651) and OneView management software (CVE-2024-38475 and CVE-2024-38476), both scoring 9.8, stemming from previously known issues in Apache Tomcat and Apache HTTP Server components.

At present, no signs of active exploitation have been reported. However, HPE strongly advises all users to apply the latest security updates as soon as possible to minimise risk.