Hewlett Packard Enterprise has released the latest version of its disk-based de-duplicating backup system StoreOnce to remediate eight security flaws, led by the critical authentication bypass vulnerability, tracked as CVE-2025-37093, BleepingComputer reports.
Inappropriate authentication algorithm implementation has caused the critical bug, which was discovered within the appliance's machineAccountCheck method, according to the Zero Day Initiative. Other issues addressed in HPE StoreOnce version 4.3.11 include a quartet of remote code execution flaws, tracked as CVE-2025-37089, CVE-2025-37091, CVE-2025-37092, and CVE-2025-37096; a server-side request forgery vulnerability, tracked as CVE-2025-37090; and a pair of medium-severity file deletion and information disclosure bugs, tracked as CVE-2025-37094 and CVE-2025-37095. Abusing CVE-2025-37094 would necessitate authentication but such a mechanism could be evaded, added ZDI. While no active exploitation of the bugs has been reported, the absence of any other workarounds to remediate the issues should prompt immediate upgrades to HPE StoreOnce v.4.3.11.
Inappropriate authentication algorithm implementation has caused the critical bug, which was discovered within the appliance's machineAccountCheck method, according to the Zero Day Initiative. Other issues addressed in HPE StoreOnce version 4.3.11 include a quartet of remote code execution flaws, tracked as CVE-2025-37089, CVE-2025-37091, CVE-2025-37092, and CVE-2025-37096; a server-side request forgery vulnerability, tracked as CVE-2025-37090; and a pair of medium-severity file deletion and information disclosure bugs, tracked as CVE-2025-37094 and CVE-2025-37095. Abusing CVE-2025-37094 would necessitate authentication but such a mechanism could be evaded, added ZDI. While no active exploitation of the bugs has been reported, the absence of any other workarounds to remediate the issues should prompt immediate upgrades to HPE StoreOnce v.4.3.11.
