Critical Vulnerability Discovered in HPE StoreOnce: What You Need to Know

05.06.25

Threat Intelligence Alerts

Hewlett Packard Enterprise (HPE) has issued a security bulletin warning about critical vulnerabilities in its StoreOnce data backup and deduplication solution. StoreOnce is widely used by organisations and government agencies for efficient data storage and recovery. However, recent discoveries have highlighted significant security flaws that could potentially be exploited by malicious actors. 

The most severe of these vulnerabilities is an authentication bypass flaw, tracked as CVE-2025-37093, which has a critical severity score of 9.8/10. This flaw stems from improper implementation of an authentication algorithm, allowing attackers to bypass authentication and gain unauthorised access to the system. Once inside, attackers could potentially execute remote code, disclose sensitive information, and delete arbitrary files. 

In total, HPE has identified and patched eight vulnerabilities in StoreOnce, including issues related to remote code execution, server-side request forgery, and directory traversal. These vulnerabilities were reported to HPE in October 2024, and patches have been released to address them. 

The implications of these vulnerabilities are severe. If exploited, they could lead to data breaches, ransomware attacks, and other forms of cybercrime. Attackers could gain full access to the system, compromising its integrity and availability.  This could result in significant disruptions to business operations and the loss of sensitive data. 

To mitigate these risks, HPE has urged all users to update their StoreOnce software to the latest version (4.3.11) immediately. There are no workarounds or alternative mitigations, making it crucial for users to apply the patches as soon as possible. If updating is not feasible, it is recommended to temporarily remove the product from the network until it can be patched.