Skip to content
Uniqcli

"HPE StoreOnce CVE-2025-37093 (CVSS 9.8): Remote Authentication Bypass — Patch to 4.3.11"

NewsUniqcli TeamJune 9, 20266 min read
"HPE StoreOnce CVE-2025-37093 (CVSS 9.8): Remote Authentication Bypass — Patch to 4.3.11"

HPE has patched a critical authentication bypass in its StoreOnce data-protection software, tracked as CVE-2025-37093 and rated CVSS 9.8. Because StoreOnce is a backup target, a flaw that grants unauthenticated remote access deserves prompt attention. This post summarizes what is confirmed by HPE's advisory and independent reporting, who is affected, and exactly what to do.

What happened

On June 2, 2025, Hewlett Packard Enterprise published a security bulletin (HPESBST04847) disclosing eight vulnerabilities in HPE StoreOnce Software. The most severe is CVE-2025-37093, a remote authentication bypass. According to Trend Micro's Zero Day Initiative, which coordinated the disclosure on behalf of an anonymous researcher, the flaw lives in the implementation of the machineAccountCheck method and stems from improper handling of an authentication algorithm. The result: a remote, unauthenticated attacker can bypass authentication.

The vulnerability was reported to HPE on October 31, 2024, and the fix shipped in early June 2025. On its own, an authentication bypass is serious; the larger risk is that it can be chained with the other flaws patched in the same release to achieve remote code execution, server-side request forgery (SSRF), information disclosure, and arbitrary file deletion against the appliance.

Affected products and versions

The advisory covers HPE StoreOnce Software. All eight CVEs are remediated in the same release, version 4.3.11. The affected and fixed versions are identical across the set.

Product Affected Fixed
HPE StoreOnce Software All versions prior to 4.3.11 4.3.11 (or later)

The full set of CVEs resolved in 4.3.11:

CVE Type
CVE-2025-37089 Remote code execution
CVE-2025-37090 Server-side request forgery (SSRF)
CVE-2025-37091 Remote code execution
CVE-2025-37092 Remote code execution
CVE-2025-37093 Authentication bypass (CVSS 9.8)
CVE-2025-37094 Directory traversal / arbitrary file deletion
CVE-2025-37095 Directory traversal / information disclosure
CVE-2025-37096 Remote code execution

CVSS scores for the seven companion CVEs were not published in HPE's bulletin or the CIS advisory; only CVE-2025-37093 has a publicly confirmed score (9.8). We have intentionally not assigned numbers to the others.

How serious is it

CVE-2025-37093 carries a CVSS 9.8 ("Critical") rating. That score reflects a vulnerability that is network-exploitable, requires no privileges and no user interaction, and can severely impact confidentiality, integrity, and availability. The Center for Internet Security rated the overall risk High for large and medium government and business organizations.

On exploitation status: as of HPE's disclosure and independent analysis from Arctic Wolf, there were no reports of active exploitation in the wild and no publicly available proof-of-concept exploit. We could not confirm that CVE-2025-37093 has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog. That is the current picture, not a guarantee about the future — backup and data-protection systems are a recurring target for ransomware operators precisely because compromising them undermines an organization's ability to recover. The absence of a public exploit is a reason to patch on a planned schedule, not a reason to defer.

Am I exposed?

You should treat your environment as in-scope if any of the following are true:

  • You run HPE StoreOnce Software (including StoreOnce VSA deployments) at a version below 4.3.11.
  • A StoreOnce management interface is reachable from networks beyond your trusted backup administration segment.

To check your version, log into the StoreOnce management console and review the software/firmware version, or query it through your central management tooling. If you are unsure which appliances are in service or what versions they run, an inventory of your backup estate is the right first step — backup targets are easy to overlook in patch programs because they are not user-facing.

How to fix it

Apply the patch. Upgrade all affected HPE StoreOnce systems to version 4.3.11 or later. This single release remediates CVE-2025-37093 and the seven companion CVEs (CVE-2025-37089 through CVE-2025-37096). There is no partial fix — 4.3.11 is the remediation for the entire set.

HPE has not published a standalone workaround that fully mitigates CVE-2025-37093, so upgrading is the authoritative fix. Until every appliance is on 4.3.11, sound interim hardening reduces exposure:

  • Restrict network reachability. Ensure StoreOnce management interfaces are only accessible from a dedicated, tightly controlled backup-administration network — never from general user VLANs or the internet.
  • Tighten firewall and ACL rules so that only known administrative hosts can reach the appliance's management plane.
  • Increase monitoring of authentication and management activity on the appliances while you schedule the upgrade.

Treat these as risk reduction during the upgrade window, not as substitutes for 4.3.11. Validate backup and restore operations after upgrading.

How Uniqcli helps

Uniqcli is an authorized reseller for HPE, HPE Aruba Networking, and HPE Juniper Networking, working with US federal, SLED, healthcare, and enterprise customers. For this advisory we can:

  • Assess your exposure — inventory StoreOnce appliances across your environment, confirm running versions, and identify which systems need to move to 4.3.11.
  • Source patched or replacement hardware — where appliances are end-of-support or you are planning a refresh of your backup estate, we can quote current StoreOnce systems and compatible alternatives.
  • Support the upgrade — coordinate the path to 4.3.11 with your team and HPE support, and help validate backup/restore integrity afterward.

Procurement is available through the vehicles public-sector buyers rely on, including TAA-compliant products, GSA, and SEWP. If you need help confirming whether your StoreOnce systems are affected or planning remediation, contact our team.

Sources

Build your HPE bill of materials.

Send us the requirement, the project, or an existing quote to beat. We come back with a validated, TAA-compliant HPE configuration and a real price, often below list.

connect [at] getuniqcli.com · Chicago, IL