HPE Issues Security Patch for StoreOnce Bug Allowing Remote Authentication Bypass

Avatar
Hewlett Packard Enterprise (HPE) has released security updates to address as many as eight vulnerabilities in its StoreOnce data backup and deduplication solution that could result in an authentication bypass and remote code execution. “These vulnerabilities could be remotely exploited to allow remote code execution, disclosure of information, server-side request forgery, authentication bypass,
[[{“value”:”

Hewlett Packard Enterprise (HPE) has released security updates to address as many as eight vulnerabilities in its StoreOnce data backup and deduplication solution that could result in an authentication bypass and remote code execution.

“These vulnerabilities could be remotely exploited to allow remote code execution, disclosure of information, server-side request forgery, authentication bypass, arbitrary file deletion, and directory traversal information disclosure vulnerabilities,” HPE said in an advisory.

This includes a fix for a critical security flaw tracked as CVE-2025-37093, which is rated 9.8 on the CVSS scoring system. It has been described as an authentication bypass bug affecting all versions of the software prior to 4.3.11. The vulnerability, along with the rest, was reported to the vendor on October 31, 2024.

According to the Zero Day Initiative (ZDI), which credited an anonymous researcher for discovering and reporting the shortcoming, said the problem is rooted in the implementation of the machineAccountCheck method.

“The issue results from improper implementation of an authentication algorithm,” ZDI said. “An attacker can leverage this vulnerability to bypass authentication on the system.”

Successful exploitation of CVE-2025-37093 could permit a remote attacker to bypass authentication on affected installations. What makes the vulnerability more severe is that it could be chained with the remaining flaws to achieve code execution, information disclosure, and arbitrary file deletion in the context of root –

CVE-2025-37089 – Remote Code Execution
CVE-2025-37090 – Server-Side Request Forgery
CVE-2025-37091 – Remote Code Execution
CVE-2025-37092 – Remote Code Execution
CVE-2025-37093 – Authentication Bypass
CVE-2025-37094 – Directory Traversal Arbitrary File Deletion
CVE-2025-37095 – Directory Traversal Information Disclosure
CVE-2025-37096 – Remote Code Execution

The disclosure comes as HPE also shipped patches to address multiple critical-severity flaws in HPE Telco Service Orchestrator (CVE-2025-31651, CVSS score: 9.8) and OneView (CVE-2024-38475, CVE-2024-38476, CVSS scores: 9.8) to address previously disclosed weaknesses in Apache Tomcat and Apache HTTP Server.

While there are no reports of active exploitation, it’s essential that users apply the latest updates for optimal protection.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.

“}]] The Hacker News 

Total
0
Shares
Previous Post

Man pleads guilty to swatting spree impacting scores of government officials

Next Post

Malicious PyPI, npm, and Ruby Packages Exposed in Ongoing Open-Source Supply Chain Attacks

Related Posts

BREAKING: 7,000-Device Proxy Botnet Using IoT, EoL Systems Dismantled in U.S. – Dutch Operation

A joint law enforcement operation undertaken by Dutch and U.S. authorities has dismantled a criminal proxy network that's powered by thousands of infected Internet of Things (IoT) and end-of-life (EoL) devices, enlisting them into a botnet for providing anonymity to malicious actors. In conjunction with the domain seizure, Russian nationals, Alexey Viktorovich Chertkov, 37, Kirill Vladimirovich
Avatar
Read More

Meta Starts Showing Ads on WhatsApp After 6-Year Delay From 2018 Announcement

Meta Platforms on Monday announced that it's bringing advertising to WhatsApp, but emphasized that the ads are "built with privacy in mind." The ads are expected to be displayed on the Updates tab through its Stories-like Status feature, which allows ephemeral sharing of photos, videos, voice notes, and text for 24 hours. These efforts are "rolling out gradually," per the company. The media
Avatar
Read More