A number of safety vulnerabilities in Hewlett-Packard Enterprise (HPE) StoreOnce software program platform that might permit distant attackers to execute malicious code, bypass authentication mechanisms, and entry delicate enterprise information.
The vulnerabilities have an effect on HPE StoreOnce VSA variations previous to 4.3.11 and current important dangers to enterprise backup and storage infrastructure worldwide.
Safety Flaws Influence Enterprise Storage Safety
The newly recognized vulnerabilities characterize a complete assault floor that threatens the core safety of enterprise storage environments.
The CVE-2025-37093 vulnerability represents one of the crucial extreme safety dangers recognized in Hewlett-Packard Enterprise’s StoreOnce backup and restoration platform.
This authentication bypass flaw permits unauthenticated distant attackers to utterly bypass safety controls and achieve unauthorized entry to enterprise storage techniques.
With a CVSS v3.1 base rating of 9.8 (Crucial), this vulnerability poses existential dangers to organizations counting on unpatched HPE StoreOnce deployments for information safety.
The vulnerability portfolio consists of a number of distant code execution (RCE) flaws tracked as CVE-2025-37089, CVE-2025-37091, CVE-2025-37092, and CVE-2025-37096, every carrying CVSS scores of seven.2.
These vulnerabilities exploit weaknesses within the StoreOnce software program structure, enabling authenticated attackers with excessive privileges to execute arbitrary code remotely on affected techniques.
The assault vector AV:N designation signifies that these exploits could be launched throughout community boundaries, considerably increasing the potential assault floor for malicious actors focusing on enterprise storage infrastructure.
The technical composition of those vulnerabilities reveals subtle assault methodologies that focus on a number of layers of the StoreOnce software program stack.
The listing traversal vulnerabilities CVE-2025-37094 and CVE-2025-37095 exploit path manipulation weaknesses, with the previous enabling arbitrary file deletion capabilities (CVSS 5.5) and the latter facilitating info disclosure assaults (CVSS 4.9).
These vulnerabilities leverage the CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U vector notation, indicating network-accessible assaults with low complexity necessities.
The distant code execution vulnerabilities share widespread traits of their CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H vector strings, signifying excessive impression potential throughout confidentiality, integrity, and availability domains.
The PR:H designation signifies that whereas excessive privileges are required for exploitation, profitable assaults can lead to full system compromise.
The AC:L (Assault Complexity: Low) score means that these vulnerabilities could be exploited with available instruments and methods, making them enticing targets for each subtle risk actors and opportunistic attackers.
Nameless safety researchers working in collaboration with Development Micro’s Zero Day Initiative (ZDI) found these vulnerabilities by coordinated analysis efforts.
Mitigations
Organizations using HPE StoreOnce VSA deployments should prioritize rapid remediation by software program updates to model 4.3.11 or later.
HPE has confirmed that each one recognized vulnerabilities have been addressed on this launch, which is offered by the official Hewlett Packard Enterprise Assist Heart obtain portal.
The remediation timeline is crucial, significantly given the presence of the 9.8 CVSS-rated authentication bypass vulnerability that requires no consumer interplay for exploitation.
System directors ought to implement complete vulnerability scanning procedures to establish affected StoreOnce installations inside their infrastructure.
Following established patch administration insurance policies when deploying third-party safety updates alongside the StoreOnce software program improve.
Organizations also needs to evaluation community segmentation methods to restrict potential assault vectors whereas implementing the mandatory software program updates.
Discover this Information Fascinating! Observe us on Google Information, LinkedIn, & X to Get Immediate Updates!
