Eight critical security vulnerabilities have been revealed in HPE StoreOnce backup and recovery software, with the most severe flaw carrying a CVSS v3.1 score of 9.8 and facilitating complete authentication bypass without user interaction. The vulnerability, designated CVE-2025-37093, stems from improper authentication handling that allows attackers to gain full system access, potentially compromising data integrity, accessing sensitive information, and disrupting service availability.
Critical authentication bypass flaw in HPE StoreOnce enables complete system compromise with zero user interaction required.
The thorough security patch, version 4.3.11, addresses all eight vulnerabilities including CVE-2025-37089 through CVE-2025-37096. These flaws allow remote code execution, information disclosure, and arbitrary file deletion across affected systems. All HPE StoreOnce Software versions prior to 4.3.11 remain vulnerable, encompassing both StoreOnce VSA virtual appliances and hardware deployments running outdated software.
Remote exploitation capabilities greatly amplify the threat profile, particularly for organizations with exposed network configurations. Security researchers indicate that threat actors could capitalize on these vulnerabilities to deploy ransomware, execute lateral network movement, or establish persistent access to critical backup infrastructure.
The authentication bypass vulnerability poses the gravest concern, requiring no user interaction while granting complete system control to unauthorized attackers. HPE has issued security bulletin hpesbst04847en_us, emphasizing that no workarounds exist and immediate patching represents the only viable remediation strategy.
The company recommends isolating vulnerable systems from untrusted networks until patch deployment completes, implementing strict network segmentation to prevent lateral movement, and monitoring for unauthorized access attempts during remediation periods. Regular review of system management and security procedures should be implemented to prevent future security lapses. The directory traversal vulnerability enables attackers to access unauthorized file system locations beyond intended application boundaries.
The vulnerabilities affect enterprise backup systems and critical infrastructure environments, where operational disruption could result in substantial data loss and business continuity failures. Recent data shows that data breach costs now average $4.35 million per incident, making immediate patching crucial. Backup platforms have increasingly become primary targets for ransomware operators seeking to prevent victim recovery capabilities, making these flaws particularly important for organizational security postures.
HPE support services remain available for customers requiring technical assistance during patch deployment. Security communities and industry analysts have amplified patch urgency recommendations, noting similar vulnerability patterns across competing backup solution providers.
Organizations utilizing affected StoreOnce deployments face heightened compromise risks until successful remediation completion, with enterprise environments and critical infrastructure installations representing priority targets for potential exploitation.
