HPE rushes out patch for critical StoreOnce backup flaw
Hewlett Packard Enterprise has issued patches for eight vulnerabilities in its StoreOnce backup and deduplication appliances. The worst, CVE-2025-37093 (CVSS 9.8), lets remote attackers bypass authentication on any version prior to StoreOnce 4.3.11. Zero Day Initiative says the flaw sits in the machineAccountCheck method. Once inside, an intruder could chain further bugs—four remote-code-execution holes, a server-side-request-forgery issue, and two directory-traversal flaws—to run code as root, read files or delete data. HPE has also shipped critical fixes for Telco Service Orchestrator and OneView. No exploitation has been spotted in the wild, but admins are urged to update immediately.
Hewlett Packard Enterprise has released an urgent software update for its StoreOnce data-backup appliances after discovering eight serious vulnerabilities, one of which scores a near-maximum 9.8 on the CVSS scale.
What’s gone wrong?
Security researchers have shown that a coding mistake in the machineAccountCheck routine could let remote attackers skip the login screen entirely (CVE-2025-37093). Any StoreOnce version before 4.3.11 is exposed.
Why you should worry
Once past authentication, an intruder could chain other newly patched faults to:
• run arbitrary code as root
• send rogue requests to internal servers
• read or delete backup files
Full list of CVEs
• 2025-37089, 37091, 37092, 37096 – Remote code execution
• 2025-37090 – Server-side request forgery
• 2025-37094 – File deletion via directory traversal
• 2025-37095 – Information disclosure
• 2025-37093 – Authentication bypass (critical)
What to do now
HPE customers should install StoreOnce 4.3.11 or later without delay; there is no workaround. The company has also patched unrelated critical bugs in HPE Telco Service Orchestrator and OneView.
Still on an older release? Isolate the appliance from public networks and monitor for unusual log-ins until you can upgrade.