Hewlett Packard Enterprise (HPE) has recently released security updates to fix a total of eight vulnerabilities in its StoreOnce data backup and deduplication solution. These vulnerabilities could allow for an authentication bypass and remote code execution.
The vulnerabilities were reported to HPE on October 31, 2024, and one of the critical flaws, CVE-2025-37093, is rated 9.8 on the CVSS scoring system. It is an authentication bypass bug affecting versions of the software prior to 4.3.11.
If successfully exploited, CVE-2025-37093 could allow a remote attacker to bypass authentication on affected systems. This vulnerability could be combined with other flaws to achieve code execution, information disclosure, and arbitrary file deletion.
- CVE-2025-37089 – Remote Code Execution
- CVE-2025-37090 – Server-Side Request Forgery
- CVE-2025-37091 – Remote Code Execution
- CVE-2025-37092 – Remote Code Execution
- CVE-2025-37093 – Authentication Bypass
- CVE-2025-37094 – Directory Traversal Arbitrary File Deletion
- CVE-2025-37095 – Directory Traversal Information Disclosure
- CVE-2025-37096 – Remote Code Execution
HPE has also released patches to address critical-severity vulnerabilities in HPE Telco Service Orchestrator (CVE-2025-31651) and OneView (CVE-2024-38475, CVE-2024-38476) to fix weaknesses in Apache Tomcat and Apache HTTP Server.
While there have been no reports of active exploitation, it is highly recommended that users install the latest updates to ensure optimal protection.
