Techradar - All the latest technology news

HPE flags critical StoreOnce auth bypass, users should update now

Eight vulnerabilities patched at once, including a critical severity auth bypass.

Jun 4, 2025 - 10:35
 0
HPE flags critical StoreOnce auth bypass, users should update now
  • HPE patches eight flaws in StoreOnce platform
  • Among the flaws is a critical severity authentication bypass
  • There are no workarounds and users are advised to patch up

Hewlett Packard Enterprise (HPE) has revealed patches for a number of dangerous flaws affecting its data backup and recovery solution, StoreOnce, including a critical-severity bug which allows threat actors to gain full access to the vulnerable system without user interaction.

The bug is tracked as CVE-2025-37093, and is described as an authentication bypass flaw stemming from improper authentication handling. It has a severity score of 9.8/10 (critical) and could potentially be abused to compromise system integrity, allow threat actors to access sensitive data, and lead to different disruptions and availability issues.

Crooks could use it to deploy ransomware, steal sensitive data, or move laterally throughout the target network.

Eight flaws patched

In HPE’s advisory, the company said all versions prior to 4.3.11 were vulnerable, and has urged users to update their software as soon as possible.

There are no other mitigations or workarounds, so if you can’t update your instance immediately, it would be best to remove the product until you can patch it.

The issues were reportedly discovered seven months ago but apparently no one abused it in the wild so far.

In total, HPE patched eight flaws this time around. While the authentication bypass is the most severe one, others are potentially dangerous, as well.

Here is a list of other seven flaws HPE fixed in version 4.3.11:

CVE-2025-37089 – Remote Code Execution
CVE-2025-37090 – Server-Side Request Forgery
CVE-2025-37091 – Remote Code Execution
CVE-2025-37092 – Remote Code Execution
CVE-2025-37094 – Directory Traversal Arbitrary File Deletion
CVE-2025-37095 – Directory Traversal Information Disclosure
CVE-2025-37096 – Remote Code Execution

HPE StoreOnce is a disk-based backup and recovery system that uses data deduplication to reduce storage needs.It is usually used by enterprises, government agencies, and mid-sized businesses with complex IT environments.

StoreOnce supports integration with other backup and enterprise software, such as HPE Data Protector, Veeam, Veritas NetBackup, Commvault, and Microsoft Data Protection Manager. It also connects with cloud storage through HPE Cloud Bank Storage.

Via BleepingComputer

You might also like

Read More

Tags:

Previous Article

Ditch roaming charges — grab $50 in data credit for half the price with this eSIM

Next Article

Apple’s AI success isn’t determined by the release date of Apple Intelligence’s ...

Related Posts

Free ChatGPT users can finally stop re-explaining themselves in every session

Free ChatGPT users can finally stop re-explaining thems...

Jun 4, 2025  0

The Nintendo Switch 2 Joy-Con 2 mouse controls can be used to navigate the Home Menu

The Nintendo Switch 2 Joy-Con 2 mouse controls can be u...

May 13, 2025  0

Quordle hints and answers for Wednesday, May 28 (game #1220)

Quordle hints and answers for Wednesday, May 28 (game #...

May 27, 2025  0