Hewlett Packard Enterprise (HPE) has recently issued a series of security patches to address multiple vulnerabilities in its StoreOnce data backup and deduplication systems. These vulnerabilities, if exploited, could lead to severe security breaches, including authentication bypasses and remote code execution.
Overview of the Vulnerabilities
The security flaws encompass eight distinct vulnerabilities, each posing significant risks:
– CVE-2025-37093: An authentication bypass vulnerability with a CVSS score of 9.8, affecting all software versions prior to 4.3.11.
– CVE-2025-37089: Remote code execution vulnerability.
– CVE-2025-37090: Server-side request forgery vulnerability.
– CVE-2025-37091: Remote code execution vulnerability.
– CVE-2025-37092: Remote code execution vulnerability.
– CVE-2025-37094: Directory traversal leading to arbitrary file deletion.
– CVE-2025-37095: Directory traversal leading to information disclosure.
– CVE-2025-37096: Remote code execution vulnerability.
These vulnerabilities were reported to HPE on October 31, 2024, and have been addressed in the latest software update.
Technical Details
The critical vulnerability, CVE-2025-37093, resides in the `machineAccountCheck` method. The Zero Day Initiative (ZDI) explains that the flaw results from improper implementation of an authentication algorithm, allowing attackers to bypass authentication mechanisms. Exploitation of this vulnerability could enable unauthorized access to the system, potentially leading to further exploitation of the other identified vulnerabilities.
Potential Impact
If these vulnerabilities are exploited, attackers could gain unauthorized access to sensitive data, execute arbitrary code, delete critical files, and perform other malicious activities. The combination of these vulnerabilities significantly increases the risk of a comprehensive system compromise.
HPE’s Response and Recommendations
HPE has released software version 4.3.11 to address these vulnerabilities. The company strongly recommends that all users of StoreOnce systems update to this latest version to mitigate potential security risks.
Historical Context
This is not the first time HPE’s StoreOnce systems have faced security issues. In 2013, a hardcoded administrator account was discovered, allowing unauthorized remote access. The account, named HPSupport, had a preset password that was easily brute-forced, leading to full administrative access for attackers. HPE addressed this issue by releasing a security bulletin and providing a software patch to disable the undocumented account.
In 2015, additional vulnerabilities were identified in StoreOnce systems, including remote execution of arbitrary code with privilege elevation, cross-site request forgery (CSRF), and cross-site scripting (XSS). HPE responded by releasing software version 3.13.1 to resolve these issues.
More recently, in 2022, a vulnerability (CVE-2022-28622) was discovered in HPE StoreOnce Software versions prior to 4.3.2. This flaw allowed attackers to exploit weak key exchange algorithms in the SSH server, leading to unauthorized remote access. HPE addressed this issue by releasing software update 4.3.2.
Broader Security Measures
HPE has been actively working to enhance the security of its products. In April 2025, the company reaffirmed its commitment to the Cybersecurity and Infrastructure Security Agency’s (CISA) Secure by Design pledge. This initiative emphasizes the importance of integrating security at every phase of the product lifecycle to protect enterprises against emerging threats. HPE has implemented measures such as multi-factor authentication, unique passwords for each instance, and regular security patches to strengthen its security posture.
Conclusion
The recent vulnerabilities in HPE’s StoreOnce systems underscore the critical importance of timely software updates and robust security practices. Organizations utilizing these systems should promptly apply the latest patches and review their security configurations to safeguard against potential exploits.
