FlagThis - #hpe

HPE has issued critical security patches for its StoreOnce data backup and deduplication platform, addressing eight newly discovered vulnerabilities. The most severe of these is an authentication bypass vulnerability, identified as CVE-2025-37093, which has been assigned a near-maximum CVSS score of 9.8. This indicates a critical risk to affected systems, as it could allow remote attackers to execute arbitrary code on vulnerable installations of Hewlett Packard Enterprise StoreOnce VSA.

The authentication bypass, tracked as ZDI-25-312, exists due to a flaw in the `setLocateBeaconOnHardware` method. The issue stems from the lack of proper validation of a user-supplied string before it's used to execute a system call. Although authentication is typically required to exploit this vulnerability, the existing authentication mechanism can be bypassed, allowing attackers to execute code in the context of root. The ZDI has assigned a CVSS rating of 7.2 to CVE-2025-37089.

Users of HPE StoreOnce are strongly advised to upgrade to version 4.3.11 or later to mitigate the risk of exploitation. Hewlett Packard Enterprise has released an update to correct this vulnerability, and more details can be found on their support website. The disclosure timeline indicates that the vulnerability was reported to the vendor on October 31, 2024, followed by a coordinated public release of the advisory on June 2, 2025.


References :

• securityaffairs.com: HPE has released security patches for eight vulnerabilities in its StoreOnce backup solution. These issues could allow remote code execution, authentication bypass, data leaks, and more.
• thecyberexpress.com: Hewlett Packard Enterprise (HPE) has issued a new security advisory addressing eight newly discovered vulnerabilities in its StoreOnce data backup and deduplication platform. Among these, the most severe is an authentication bypass vulnerability tracked as CVE-2025-37093, which carries a near-maximum CVSS score of 9.8, indicating a critical risk to affected systems.
• ZDI: Published Advisories: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hewlett Packard Enterprise StoreOnce VSA. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The ZDI has assigned a CVSS rating of 7.2. The following CVEs are assigned: CVE-2025-37089.
• ZDI: Published Advisories: ZDI-25-316: Hewlett Packard Enterprise StoreOnce VSA Authentication Bypass Vulnerability
• arcticwolf.com: HPE Fixes Critical RCE Vulnerability in StoreOnce
• The Hacker News: HPE Issues Security Patch for StoreOnce Bug Allowing Remote Authentication Bypass
• arcticwolf.com: On 2 June 2025, Hewlett Packard Enterprise (HPE) released fixes for multiple vulnerabilities affecting HPE StoreOnce VSA, an enterprise backup storage solution. The most severe of these was CVE-2025-37093, a critical authentication bypass vulnerability discovered by the Zero Day Initiative (ZDI).
• Arctic Wolf: CVE-2025-37093: HPE Fixes Critical RCE Vulnerability in StoreOnce
• Arctic Wolf: HPE Fixes Critical RCE Vulnerability in StoreOnce
• Techzine Global: HPE has issued a security bulletin for eight vulnerabilities in StoreOnce, intended for drive-based backup and deduplication.
• BleepingComputer: Hewlett Packard Enterprise warns of critical StoreOnce auth bypass

Classification:

• HashTags: #HPE #StoreOnce #Vulnerability
• Company: Hewlett Packard Enterprise
• Target: HPE StoreOnce users
• Product: StoreOnce
• Feature: Data Backup
• Malware: CVE-2025-37093
• Type: Vulnerability
• Severity: Critical