Hewlett Packard Enterprise (HPE) has released urgent security patches for multiple high-impact vulnerabilities in its StoreOnce backup software, including a critical remote authentication bypass flaw (CVE‑2025‑37093) with a CVSS score of 9.8. These flaws could allow unauthenticated attackers to gain full system access, making immediate patching essential for organizations worldwide.
Hewlett Packard Enterprise (HPE) announced on 2 June 2025 the discovery of eight serious vulnerabilities in its StoreOnce Software, a data deduplication and backup appliance widely used across enterprise and critical infrastructure sectors. The flaws could allow remote code execution, server-side request forgery (SSRF), arbitrary file deletion, and most critically, authentication bypass.
These vulnerabilities, all reported through Trend Micro’s Zero Day Initiative, affect all versions prior to StoreOnce 4.3.11. HPE urges all customers to upgrade immediately to mitigate exposure.
Breakdown of the Vulnerabilities
| CVE | Attack Type | CVSS (v3.1) | Exploitability |
|---|---|---|---|
| CVE-2025-37093 | Authentication Bypass | 9.8 | Network, No Privilege, No User Interaction |
| CVE-2025-37089 | Remote Code Execution | 7.2 | High Privilege Required |
| CVE-2025-37090 | SSRF | 5.3 | No Privilege, No Interaction |
| CVE-2025-37091 | Remote Code Execution | 7.2 | High Privilege |
| CVE-2025-37092 | Remote Code Execution | 7.2 | High Privilege |
| CVE-2025-37094 | Directory Traversal (File Deletion) | 5.5 | High Privilege |
| CVE-2025-37095 | Directory Traversal (Info Disclosure) | 4.9 | High Privilege |
| CVE-2025-37096 | Remote Code Execution | 7.2 | High Privilege |
All vulnerabilities are remotely exploitable over the network, with several having no requirement for user interaction or credentials, amplifying risk to internet-exposed systems.
MITRE ATT&CK Mapping (TTPs & IOCs)
T1078 – Valid Accounts (Authentication Bypass)
T1203 – Exploitation for Client Execution (Remote Code Execution)
T1068 – Exploitation for Privilege Escalation
T1210 – Exploitation of Remote Services
T1001 – Data Obfuscation (SSRF or Info Disclosure)
Indicators of Compromise (IOCs):
- Unexpected deletion or modification of backup files
- Unauthorized remote access logs
- External SSRF-like outbound traffic patterns
Regional Implications: MEA Focus
In the Middle East and Africa, where HPE StoreOnce appliances are deployed across government, energy, and banking sectors, the risk is particularly acute. Regulatory frameworks in Saudi Arabia (NCA) and UAE (DESC) mandate swift response to critical vulnerabilities.
“Entities regulated under NCA ECC and DESC ISR must patch such flaws within strict timelines to maintain compliance,” noted Rania Al‑Shamari, a Riyadh-based cybersecurity consultant and former regulator.
For African nations aligning with GDPR-like privacy laws and data sovereignty requirements, an authentication bypass flaw introduces significant regulatory breach risks.
Global Scope and Comparisons
This alert aligns with a rising trend in remote authentication bypass attacks, echoing incidents like the 2023 MOVEit Transfer vulnerability and the 2024 Ivanti Connect Secure flaws. Organizations across North America, Europe, and APAC using StoreOnce should also treat this as a critical-level exposure.
“This is a textbook example of how modern cybersecurity risks can cascade across backup infrastructure,” said David Kennedy, founder of TrustedSec, in a post on 3 June 2025.
HPE has acknowledged and credited anonymous researchers reporting through the ZDI program, showing continued industry reliance on coordinated disclosure.
Technical & Security Community Reactions
HPE’s Security Response Team emphasized its ongoing commitment:
“We encourage all customers to evaluate the applicability of this bulletin and upgrade to StoreOnce version 4.3.11 or later immediately,” HPE stated.
Meanwhile, SOC teams and pentesting providers are actively scanning for vulnerable endpoints, especially in cloud-based VSA deployments that may be misconfigured or externally reachable.
Actionable Takeaways for Defenders and Executives
- Immediately upgrade StoreOnce to version 4.3.11 or later.
- Isolate vulnerable systems from external networks until patched.
- Check logs for signs of unauthorized access or manipulation dating back to March 2025.
- Update asset inventory to flag instances of StoreOnce VSA pre-4.3.11.
- Use network segmentation to restrict access to backup servers.
- Implement Zero Trust principles for backup infrastructure access.
- Coordinate with incident response teams to build detection signatures.
- Update vulnerability management dashboards with the new CVEs.
- Alert executive teams and regulatory bodies if systems were previously exposed.
- Subscribe to future HPE security updates and bulletins.
Conclusion
This latest StoreOnce vulnerability disclosure illustrates the persistent risks in backup infrastructure, often overlooked in favor of perimeter or endpoint defenses. Given the remote and unauthenticated nature of the most severe flaws, organizations – especially in regulated and critical sectors – must treat this as a top priority security update. As attackers increasingly automate targeting of known vulnerabilities, patch velocity becomes a primary defense metric.
