Hewlett Packard Enterprise (HPE) disclosed eight critical vulnerabilities in its **StoreOnce data backup and deduplication platform**, with the most severe being **CVE-2025-37093**—an **authentication bypass flaw** (CVSS 9.8). This vulnerability allows **unauthenticated attackers to bypass security controls**, gain **unauthorized system access**, and potentially execute **remote code (RCE)**, delete files, or exfiltrate sensitive data. Affected versions include all **StoreOnce Virtual Storage Appliance (VSA) software prior to 4.3.11**.The flaws expose organizations to **data breaches, operational disruption, and full system compromise**, particularly since backup systems are high-value targets for ransomware groups and APT actors. While no active exploitation has been reported, the **low attack complexity** and **lack of user interaction** required make this a **prime candidate for mass exploitation**. HPE has released patches in **version 4.3.11**, urging immediate upgrades to prevent **data theft, lateral movement within networks, or sabotage of recovery operations**.Failure to patch could lead to **unauthorized access to backups**, enabling attackers to **encrypt, delete, or steal critical data**, crippling disaster recovery capabilities and exposing the organization to **regulatory penalties, financial loss, and reputational damage**.
Source: https://thecyberexpress.com/cve-2025-37093-hits-hpe-storeonce-systems/
TPRM report: https://www.rankiteo.com/company/hpe
"id": "hpe5750857112825",
"linkid": "hpe",
"type": "Vulnerability",
"date": "6/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Technology (Data Storage & Backup '
'Solutions)',
'location': 'Global',
'name': 'Hewlett Packard Enterprise (HPE)',
'size': 'Large Enterprise',
'type': 'Corporation'}],
'attack_vector': ['Network-based',
'Unauthenticated Access',
'Remote Exploitation'],
'customer_advisories': ['Urgent recommendation to upgrade to StoreOnce VSA '
'version 4.3.11 or later'],
'date_detected': '2024-10-31',
'description': 'Hewlett Packard Enterprise (HPE) disclosed eight newly '
'discovered vulnerabilities in its StoreOnce data backup and '
'deduplication platform, including a critical authentication '
'bypass flaw (CVE-2025-37093, CVSS 9.8) that allows '
'unauthenticated attackers to bypass authentication and gain '
'unauthorized access. Other vulnerabilities include remote '
'code execution (RCE), server-side request forgery (SSRF), '
'arbitrary file deletion, information disclosure, and '
'directory traversal. Affected versions are prior to 4.3.11 of '
'the StoreOnce Virtual Storage Appliance (VSA). Patches are '
'available in version 4.3.11.',
'impact': {'brand_reputation_impact': ['Potential reputational damage due to '
'unpatched critical vulnerabilities'],
'operational_impact': ['Potential unauthorized access to backup '
'systems',
'Risk of remote code execution',
'Information disclosure',
'Directory traversal',
'Arbitrary file deletion',
'Server-side request forgery'],
'systems_affected': ['HPE StoreOnce Virtual Storage Appliance '
'(VSA) versions prior to 4.3.11']},
'investigation_status': 'Resolved (Patches released)',
'lessons_learned': ['Critical vulnerabilities in backup systems can expose '
'organizations to severe risks, including unauthorized '
'access and data sabotage.',
'Immediate patching of backup infrastructure is essential '
'to prevent exploitation by threat actors targeting '
'recovery systems.',
'Collaboration with third-party security researchers '
'(e.g., ZDI) can accelerate vulnerability disclosure and '
'remediation.'],
'post_incident_analysis': {'corrective_actions': ['Release of patched version '
'(4.3.11) addressing all '
'eight vulnerabilities',
'Collaboration with ZDI for '
'coordinated vulnerability '
'disclosure',
'Public advisory to raise '
'awareness and prompt '
'customer action'],
'root_causes': ['Authentication mechanism flaws in '
'HPE StoreOnce VSA (prior to '
'4.3.11)',
'Insufficient input validation '
'leading to RCE, SSRF, and '
'directory traversal '
'vulnerabilities',
'Lack of proper access controls '
'enabling unauthorized system '
'access']},
'recommendations': ['Upgrade HPE StoreOnce VSA to version 4.3.11 or later '
'immediately to mitigate all identified vulnerabilities.',
'Follow internal patch management protocols when applying '
'third-party security updates.',
'Monitor backup systems for signs of unauthorized access '
'or exploitation attempts.',
'Implement network segmentation to isolate backup '
'infrastructure from potential lateral movement by '
'attackers.',
'Conduct regular vulnerability assessments for backup and '
'storage solutions to proactively identify and address '
'flaws.'],
'references': [{'source': 'HPE Security Bulletin (HPESBST04847 rev.1)'},
{'source': 'Trend Micro Zero Day Initiative (ZDI) Advisory'}],
'response': {'communication_strategy': ['Security advisory (HPESBST04847 '
'rev.1)'],
'containment_measures': ['Patch deployment (StoreOnce VSA '
'version 4.3.11)'],
'remediation_measures': ['Upgrade to patched version 4.3.11 or '
'later'],
'third_party_assistance': ['Trend Micro Zero Day Initiative '
'(ZDI)']},
'stakeholder_advisories': ['HPE Security Advisory'],
'title': 'Critical Authentication Bypass and Multiple Vulnerabilities in HPE '
'StoreOnce Backup Platform (CVE-2025-37093, etc.)',
'type': ['Vulnerability Disclosure',
'Authentication Bypass',
'Remote Code Execution',
'Information Disclosure',
'Directory Traversal',
'Server-Side Request Forgery'],
'vulnerability_exploited': [{'cve_id': 'CVE-2025-37093',
'cvss_score': 9.8,
'cvss_vector': 'AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H',
'description': 'Authentication Bypass (CVSS: '
'9.8)',
'reported_by': ['Anonymous Researcher',
'Trend Micro Zero Day Initiative '
'(ZDI)'],
'zdi_id': 'ZDI-CAN-24985'},
{'cve_id': 'CVE-2025-37089',
'cvss_score': 7.2,
'description': 'Remote Code Execution (CVSS: '
'7.2)',
'zdi_id': 'ZDI-CAN-24981'},
{'cve_id': 'CVE-2025-37090',
'cvss_score': 5.3,
'description': 'Server-Side Request Forgery '
'(CVSS: 5.3)',
'zdi_id': 'ZDI-CAN-24982'},
{'cve_id': 'CVE-2025-37091',
'cvss_score': 7.2,
'description': 'Remote Code Execution (CVSS: '
'7.2)',
'zdi_id': 'ZDI-CAN-24983'},
{'cve_id': 'CVE-2025-37092',
'cvss_score': 7.2,
'description': 'Remote Code Execution (CVSS: '
'7.2)',
'zdi_id': 'ZDI-CAN-24984'},
{'cve_id': 'CVE-2025-37094',
'cvss_score': 5.5,
'description': 'Directory Traversal / Arbitrary '
'File Deletion (CVSS: 5.5)',
'zdi_id': 'ZDI-CAN-25314'},
{'cve_id': 'CVE-2025-37095',
'cvss_score': 4.9,
'description': 'Directory Traversal / '
'Information Disclosure (CVSS: '
'4.9)',
'zdi_id': 'ZDI-CAN-25315'},
{'cve_id': 'CVE-2025-37096',
'cvss_score': 7.2,
'description': 'Remote Code Execution (CVSS: '
'7.2)',
'zdi_id': 'ZDI-CAN-25316'}]}