HPE patches multiple flaws in StoreOnce Backup, at least one critical authentication bypass
Take action: If you're using HPE StoreOnce backup systems, first make sure it's isolated and accessible only from trusted networks. Then plan a quick upgrade to version 4.3.11. Just isolating the system is not enough, hackers will find a way in the network via some other mechanism (phishing or vulnerable edge device).
Learn More
Hewlett Packard Enterprise (HPE) has released a security bulletin addressing eight significant vulnerabilities affecting its StoreOnce disk-based backup and deduplication solution.
HPE StoreOnce is typically deployed in large enterprises, data centers, cloud service providers, and organizations handling big data or large virtualized environments. The platform integrates with popular backup software including HPE Data Protector, Veeam, Commvault, and Veritas NetBackup.
Vulnerability summary
- CVE-2025-37093 (CVSS score 9.8) – Authentication Bypass - allows unauthenticated remote attackers to completely bypass security controls and gain system-level unauthorized access to backup systems, potentially leading to complete compromise of StoreOnce instances.
- CVE-2025-37089 (CVSS score 7.2) – Remote Code Execution
- CVE-2025-37096 (CVSS score 7.2) – Remote Code Execution
- CVE-2025-37091 (CVSS score 7.2) – Remote Code Execution
- CVE-2025-37092 (CVSS score 7.2) – Remote Code Execution
- CVE-2025-37094 (CVSS score 5.5) – Directory Traversal Arbitrary File Deletion
- CVE-2025-37090 (CVSS score 5.3) – Server-Side Request Forgery
- CVE-2025-37095 (CVSS score 4.9) – Directory Traversal Information Disclosure
The vulnerabilities impact all versions of HPE StoreOnce Software before version 4.3.11. There are currently no reports of active exploitation in the wild. HPE has not provided mitigations or workarounds for these vulnerabilities.
