Hewlett Packard Enterprise (HPE) this week introduced fixes for a number of vulnerabilities in StoreOnce software program, together with a vital flaw resulting in authentication bypass.
The StoreOnce software program powers HPE’s storage merchandise, that are secondary storage methods that present information safety, copy administration, backup, and deduplication capabilities, to extend effectivity. StoreOnce VSA, a digital equipment providing the identical performance, can be accessible.
The vital challenge addressed in StoreOnce this week, tracked as CVE-2025-37093 (CVSS rating of 9.8), was found within the software program’s implementation of the machineAccountCheck technique.
“The problem outcomes from improper implementation of an authentication algorithm. An attacker can leverage this vulnerability to bypass authentication on the system,” a ZDI advisory reads.
CVE-2025-37093 doesn’t seem to have been exploited within the wild, however it isn’t unusual for menace actors to focus on backup options, safety agency Arctic Wolf warns.
“Arctic Wolf has not noticed any energetic exploitation of this vulnerability within the wild or any publicly accessible proof-of-concept (PoC) exploit. Nevertheless, menace actors could goal it within the close to future, as backup options have been frequent targets previously,” the corporate notes.
HPE addressed the bug with the discharge of StoreOnce model 4.3.11. The replace additionally resolves seven different safety defects, together with 4 rated ‘excessive severity’ that might result in distant code execution (RCE).
Whereas all 4 RCE flaws require authentication to be exploited, they might be chained with the vital authentication bypass to completely compromise weak methods.Commercial. Scroll to proceed studying.
The remaining vulnerabilities might be exploited to carry out server-side request forgery (SSRF) assaults, and to delete arbitrary information or leak information by performing path traversal assaults. Their exploitation requires authentication, however the mechanism could be bypassed, ZDI warns.
Associated: HPE Says Private Data Stolen in 2023 Russian Hack
Associated: Dell, HPE, MediaTek Patch Vulnerabilities in Their Merchandise
Associated: Vulnerabilities Patched by Juniper, VMware and Zoom
Associated: Nvidia Patches Vulnerabilities That May Let Hackers Exploit AI Companies
