A critical security vulnerabilities in its StoreOnce backup software that could allow remote attackers to execute malicious code, bypass authentication systems, and access sensitive data.
The vulnerabilities, discovered by security researchers working with Trend Micro’s Zero Day Initiative, affect HPE StoreOnce VSA versions prior to 4.3.11 and represent a significant security risk for organizations relying on this enterprise backup solution.
The security bulletin, released on June 2, 2025, identifies eight distinct vulnerabilities tracked as CVE-2025-37089 through CVE-2025-37096.
These vulnerabilities enable a range of attack vectors including remote code execution, server-side request forgery (SSRF), authentication bypass, arbitrary file deletion, and directory traversal attacks.
The most severe vulnerability, CVE-2025-37093, carries a CVSS score of 9.8 out of 10, indicating critical severity that requires no user privileges for exploitation.
The vulnerabilities could allow attackers to gain unauthorized access to backup systems, potentially compromising the integrity and confidentiality of stored data.
Remote code execution capabilities mean that attackers could install malware, modify system configurations, or use compromised systems as launching points for lateral movement within enterprise networks.
The authentication bypass vulnerability is particularly concerning as it could allow unauthorized users to gain administrative access to backup infrastructure without valid credentials.
Directory traversal vulnerabilities enable attackers to access files outside intended directories, potentially exposing sensitive configuration files, credentials, or backed-up data.
The arbitrary file deletion capability could be weaponized to destroy critical backup data or system files, potentially causing significant operational disruption and data loss for affected organizations.
Vulnerabilities in HPE
The vulnerabilities display varying levels of severity based on their CVSS 3.1 assessments. Four vulnerabilities (CVE-2025-37089, CVE-2025-37091, CVE-2025-37092, and CVE-2025-37096) scored 7.2, classified as high severity and requiring high-level privileges for exploitation.
CVE-2025-37090, the server-side request forgery vulnerability, received a moderate score of 5.3, while CVE-2025-37094 and CVE-2025-37095, involving directory traversal attacks, scored 5.5 and 4.9 respectively.
The critical authentication bypass vulnerability stands out with its maximum exploitability, requiring no user interaction and allowing network-based attacks without authentication.
This particular vulnerabilities poses the greatest immediate risk to organizations, as attackers could potentially gain complete control over affected systems through remote network access.
Mitigations
HPE has released StoreOnce Software version 4.3.11 to address all identified vulnerabilities. The company strongly recommends immediate upgrading for all users running affected versions.
Organizations can download the updated software through the Hewlett Packard Enterprise Support Center.
HPE acknowledges the anonymous researchers who reported these issues through responsible disclosure protocols.
The company emphasizes that customers should implement these patches according to their established patch management policies and maintain regular security review procedures.
For organizations unable to immediately upgrade, HPE recommends implementing additional network security controls to limit exposure, including restricting network access to StoreOnce systems and monitoring for suspicious activities.
Given the critical nature of backup infrastructure and the severity of these vulnerabilities, security experts recommend treating this update as an emergency patch requiring immediate deployment across all affected systems.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
