Hewlett Packard Enterprise (HPE) has released a critical update to fix a major security vulnerability in its StoreOnce data backup and deduplication solution that could lead to a full compromise of data and lie undetected in an enterprise network for a long period.
The flaw, identified as CVE-2025-37093 and featuring a CVSS score of 9.8 (Critical), was found in the machine Account Check method implementation in the software, which can be abused by unauthenticated attackers to bypass security restrictions.
The vulnerability, discovered and reported to HP’s partner Trend Micro Zero Day Initiative (ZDI) by a pseudonymous researcher, allows remote unauthorized access to StoreOnce systems.
There is no evidence that the vulnerabilities are being actively exploited in the wild, but cybersecurity researchers caution that backup platforms are being increasingly abused by attackers, and the security flaws need to be patched as soon as possible.
In addition to the critical authentication bypass, HPE’s latest StoreOnce version 4.3.11 also fixes seven other security flaws. These are four high-severity remote code execution (RCE) flaws (CVE-2025-37089, CVE-2025-37091, CVE-2025-37092, CVE-2025-37096) an SSRF issue (CVE-2025-37090) and two directory traversal flaws (CVE-2025-37094, CVE-2025-37095) that can result in arbitrary file deletion or information disclosure. These moderate vulnerabilities are reported to be able to be chained with the critical authentication bypass to compromise the whole system.
HPE is recommending that all StoreOnce customers to be updated to version 4.3.11 as soon as possible. There are no known of any workarounds or mitigations to these vulnerabilities other than the mitigations KVM and QEMU have already deployed, so the updated patch is the sole thing known to exist that will protect from data leakage.
Companies unable to implement the updates straight away are recommended to isolate StoreOnce products affected by the flaw in the meantime.
StoreOnce is heavily used in enterprise, government and in environments with complex IT due to its efficient protection and recovery of data. The consequences of such vulnerabilities are severe and could result in data breaches, ransomware attacks, and major operational disruptions should they be exploited. Keeping a stable patch management process and being aware of the critical security advisories is a must for the entire industry.
