Hewlett Packard Enterprise (HPE) has issued an urgent security bulletin warning of eight vulnerabilities in its StoreOnce disk-based backup and deduplication solution, including a critical authentication bypass flaw (CVE-2025-37093) rated 9.8 on the CVSS scale. The vulnerabilities affect versions prior to 4.3.11 of StoreOnce VSA and could allow unauthenticated attackers to gain full system access, execute arbitrary commands, or manipulate backup data1.
Executive Summary for Security Leaders
The most severe vulnerability (CVE-2025-37093) enables complete system compromise without authentication, while secondary flaws permit remote code execution (CVE-2025-37089) and server-side request forgery (CVE-2025-37090). HPE released patches on June 3, 2025, following coordinated disclosure through the Zero Day Initiative3. The Belgian Centre for Cybersecurity has flagged these vulnerabilities as high-risk for enterprises using StoreOnce for sensitive data backup5.
- Critical Risk: CVE-2025-37093 (CVSS 9.8) allows complete system takeover
- Affected Versions: StoreOnce VSA prior to 4.3.11
- Patch Available: HPE Bulletin HPEBST04847EN_US1
- Exploit Status: No public PoC, but low attack complexity
Technical Analysis of Vulnerabilities
The authentication bypass (CVE-2025-37093) stems from improper validation of session tokens in the StoreOnce web management interface. Attackers can craft HTTP requests with malformed headers to gain administrative privileges without credentials. This vulnerability is particularly dangerous as StoreOnce systems often contain sensitive backup data with minimal network segmentation4.
Secondary vulnerabilities include:
| CVE ID | Type | CVSS | Impact |
|---|---|---|---|
| CVE-2025-37089 | Remote Code Execution | 7.2 | Command injection via API parameters |
| CVE-2025-37090 | SSRF | 5.3 | Internal network reconnaissance |
| CVE-2025-37094 | Directory Traversal | 5.5 | Backup file manipulation |
Mitigation and Response
HPE recommends immediate patching to version 4.3.11, available through standard support channels1. For systems that cannot be immediately updated:
“Organizations should restrict network access to StoreOnce management interfaces using firewall rules and monitor authentication logs for unusual patterns. Backup integrity checks should be performed post-patching to ensure data wasn’t compromised during the vulnerability window.” – HPE Security Bulletin1
The GitHub Security Advisory recommends additional measures including network segmentation and reviewing system logs for signs of exploitation attempts4.
Conclusion
These vulnerabilities represent significant risks to organizations using HPE StoreOnce for critical data backup. The combination of authentication bypass and remote code execution capabilities could enable attackers to compromise backup systems – often the last line of defense against ransomware attacks. Prompt patching and network access controls are essential given the high CVSS scores and potential impact on business continuity.
References
- “HPE Security Bulletin HPEBST04847EN_US”, HPE, 2025.
- “Critical HPE StoreOnce Flaw”, GBHackers, 2025.
- “ZDI-25-316: HPE StoreOnce Authentication Bypass Vulnerability”, Zero Day Initiative, 2025.
- “GHSA-g9qh-c549-gj4x”, GitHub Advisory Database, 2025.
- “CCB Advisory on HPE StoreOnce Vulnerabilities”, Centre for Cybersecurity Belgium, 2025.
