HPE Patches Critical Vulnerability in StoreOnce

HPE Patches Critical Vulnerability in StoreOnce

Posted on By CWS

Hewlett Packard Enterprise (HPE) this week introduced fixes for a number of vulnerabilities in StoreOnce software program, together with a vital flaw resulting in authentication bypass.

The StoreOnce software program powers HPE’s storage merchandise, that are secondary storage methods that present information safety, copy administration, backup, and deduplication capabilities, to extend effectivity. StoreOnce VSA, a digital equipment providing the identical performance, can be accessible.

The vital challenge addressed in StoreOnce this week, tracked as CVE-2025-37093 (CVSS rating of 9.8), was found within the software program’s implementation of the machineAccountCheck technique.

“The problem outcomes from improper implementation of an authentication algorithm. An attacker can leverage this vulnerability to bypass authentication on the system,” a ZDI advisory reads.

CVE-2025-37093 doesn’t seem to have been exploited within the wild, however it isn’t unusual for menace actors to focus on backup options, safety agency Arctic Wolf warns.

“Arctic Wolf has not noticed any energetic exploitation of this vulnerability within the wild or any publicly accessible proof-of-concept (PoC) exploit. Nevertheless, menace actors could goal it within the close to future, as backup options have been frequent targets previously,” the corporate notes.

HPE addressed the bug with the discharge of StoreOnce model 4.3.11. The replace additionally resolves seven different safety defects, together with 4 rated ‘excessive severity’ that might result in distant code execution (RCE).

Whereas all 4 RCE flaws require authentication to be exploited, they might be chained with the vital authentication bypass to completely compromise weak methods.Commercial. Scroll to proceed studying.

The remaining vulnerabilities might be exploited to carry out server-side request forgery (SSRF) assaults, and to delete arbitrary information or leak information by performing path traversal assaults. Their exploitation requires authentication, however the mechanism could be bypassed, ZDI warns.

Associated: HPE Says Private Data Stolen in 2023 Russian Hack

Associated: Dell, HPE, MediaTek Patch Vulnerabilities in Their Merchandise

Associated: Vulnerabilities Patched by Juniper, VMware and Zoom

Associated: Nvidia Patches Vulnerabilities That May Let Hackers Exploit AI Companies

Security Week News Tags:, , , ,

Related Posts

Cisco SD-WAN Vulnerability Exploitation Grows Rapidly Cisco SD-WAN Vulnerability Exploitation Grows Rapidly Security Week News
Predatory Sparrow Burns Million on Iranian Crypto Exchange in Cyber Shadow War Predatory Sparrow Burns $90 Million on Iranian Crypto Exchange in Cyber Shadow War Security Week News
North Korean Hackers Use Fake Zoom Updates to Install macOS Malware North Korean Hackers Use Fake Zoom Updates to Install macOS Malware Security Week News
Recent SAP S/4HANA Vulnerability Exploited in Attacks Recent SAP S/4HANA Vulnerability Exploited in Attacks Security Week News
The Congressional Budget Office Was Hacked. It Says It Has Implemented New Security Measures The Congressional Budget Office Was Hacked. It Says It Has Implemented New Security Measures Security Week News
SBOM Pioneer Allan Friedman Joins NetRise to Advance Supply Chain Visibility SBOM Pioneer Allan Friedman Joins NetRise to Advance Supply Chain Visibility Security Week News