Hewlett Packard Enterprise (HPE) has released a security update for its StoreOnce solution that addresses eight critical vulnerabilities, including a critical authentication bypass bug (CVE-2025-37093, CVSS 9.8), which allows remote code execution.
According to the official announcement, vulnerabilities in HPE StoreOnce can be used by attackers to bypass authentication, remote code execution, SSRF attacks, file deletion, and information disclosure. The most dangerous of them — CVE-2025-37093 — affects all versions of StoreOnce up to 4.3.11 and was discovered by an anonymous security researcher through the Zero Day Initiative (ZDI).
StoreOnce is HPE’s flagship solution for data backup and deduplication, widely used in corporate and government environments. The vulnerabilities were discovered back in October 2024, but fixes have only become available now. This is another example of the complexity of ensuring security in DevOps environments, where every service can become an entry point for attacks. The Zero Day Initiative, which coordinated the disclosure, confirmed that the vulnerabilities could compromise servers with root privileges, making them particularly attractive to attackers.
HPE urges all users to immediately update StoreOnce to version 4.3.11 and ensure that Telco Service Orchestrator and OneView are up-to-date. While there is no evidence of active exploitation of the vulnerabilities, the risks are too high to delay updating. These events once again emphasize the importance of regular patch management in modern infrastructures.
