Hewlett Packard Enterprise warns of critical StoreOnce auth bypass

Hewlett Packard Enterprise (HPE) has issued a security bulletin to warn about eight vulnerabilities impacting StoreOnce, its disk-based backup and deduplication solution. Among the flaws fixed this time is a critical severity (CVSS v3.1 score: 9.8) authentication bypass vulnerability tracked under CVE-2025-37093, three remote code execution bugs, two directory traversal problems, and a server-side request forgery issue. The flaws impact all versions of the HPE StoreOnce Software before v4.3.11, which is now the recommended upgrade version. Here's the complete list of the eight vulnerabilities HPE fixed in version 4.3.11: CVE-2025-37089 – Remote Code Execution – Remote Code Execution CVE-2025-37090 – Server-Side Request Forgery – Server-Side Request Forgery CVE-2025-37091 – Remote Code Execution – Remote Code Execution CVE-2025-37092 – Remote Code Execution – Remote Code Execution CVE-2025-37093 – Authentication Bypass – Authentication Bypass CVE-2025-37094 – Directory Traversa ... Read full article.