HPE has issued a security bulletin for eight vulnerabilities in StoreOnce, intended for drive-based backup and deduplication. Among the patched issues is a critical authentication vulnerability with a CVSS score of 9.8.
We regularly write about vulnerabilities with such scores, and have previously indicated that this is by no means the whole story. Nevertheless, the octet of vulnerabilities is ominous: eight combined software flaws give attackers room to maneuver.
The issues affect all versions of HPE StoreOnce Software prior to v4.3.11, which is now the recommended upgrade version. Zero Day Initiative (ZDI) discovered the vulnerabilities and reported them to HPE in October 2024.
Authentication bypass as key
Of the eight patched vulnerabilities, CVE-2025-37093 is the most risky. This authentication bypass has a CVSS v3.1 score of 9.8. Discoverer Zero Day Initiative reports that the problem lies in the implementation of the machineAccountCheck method due to a flawed execution of an authentication algorithm.
Although only CVE-2025-37093 is classified as critical, ZDI warns that this vulnerability is the key to exploiting all other issues. The authentication bypass makes the other seven vulnerabilities practically exploitable, even though they have lower severity scores.
Remote code execution and directory traversal
The complete list contains three remote code execution bugs (CVE-2025-37089, CVE-2025-37091, CVE-2025-37092, CVE-2025-37096), two directory traversal issues (CVE-2025-37094 and CVE-2025-37095) and one server-side request forgery issue (CVE-2025-37090).
Sensitive information can be disclosed in the affected versions of HPE StoreOnce VSA, ZDI confirms. Although authentication is required for exploitation, this authentication step can also be bypassed.
Upgrade required
StoreOnce integrates with backup software such as HPE Data Protector, Veeam, Commvault, and Veritas NetBackup. HPE has not listed any workarounds or mitigations for the eight vulnerabilities mentioned in the bulletin. Upgrading to version 4.3.11 remains the only recommended solution.
Although there are no reports of active exploitation, administrators of potentially affected environments should take immediate action. The combination of authentication bypass with the other vulnerabilities makes this a significant threat to backup infrastructures.