"HPE StoreOnce CVE-2025-37093 (CVSS 9.8): Remote Authentication Bypass — Patch to 4.3.11"

HPE has patched a critical authentication bypass in its StoreOnce data-protection software, tracked as CVE-2025-37093 and rated CVSS 9.8. Because StoreOnce is a backup target, a flaw that grants unauthenticated remote access deserves prompt attention. This post summarizes what is confirmed by HPE's advisory and independent reporting, who is affected, and exactly what to do.
What happened
On June 2, 2025, Hewlett Packard Enterprise published a security bulletin (HPESBST04847) disclosing eight vulnerabilities in HPE StoreOnce Software. The most severe is CVE-2025-37093, a remote authentication bypass. According to Trend Micro's Zero Day Initiative, which coordinated the disclosure on behalf of an anonymous researcher, the flaw lives in the implementation of the machineAccountCheck method and stems from improper handling of an authentication algorithm. The result: a remote, unauthenticated attacker can bypass authentication.
The vulnerability was reported to HPE on October 31, 2024, and the fix shipped in early June 2025. On its own, an authentication bypass is serious; the larger risk is that it can be chained with the other flaws patched in the same release to achieve remote code execution, server-side request forgery (SSRF), information disclosure, and arbitrary file deletion against the appliance.
Affected products and versions
The advisory covers HPE StoreOnce Software. All eight CVEs are remediated in the same release, version 4.3.11. The affected and fixed versions are identical across the set.
| Product | Affected | Fixed |
|---|---|---|
| HPE StoreOnce Software | All versions prior to 4.3.11 | 4.3.11 (or later) |
The full set of CVEs resolved in 4.3.11:
| CVE | Type |
|---|---|
| CVE-2025-37089 | Remote code execution |
| CVE-2025-37090 | Server-side request forgery (SSRF) |
| CVE-2025-37091 | Remote code execution |
| CVE-2025-37092 | Remote code execution |
| CVE-2025-37093 | Authentication bypass (CVSS 9.8) |
| CVE-2025-37094 | Directory traversal / arbitrary file deletion |
| CVE-2025-37095 | Directory traversal / information disclosure |
| CVE-2025-37096 | Remote code execution |
CVSS scores for the seven companion CVEs were not published in HPE's bulletin or the CIS advisory; only CVE-2025-37093 has a publicly confirmed score (9.8). We have intentionally not assigned numbers to the others.
How serious is it
CVE-2025-37093 carries a CVSS 9.8 ("Critical") rating. That score reflects a vulnerability that is network-exploitable, requires no privileges and no user interaction, and can severely impact confidentiality, integrity, and availability. The Center for Internet Security rated the overall risk High for large and medium government and business organizations.
On exploitation status: as of HPE's disclosure and independent analysis from Arctic Wolf, there were no reports of active exploitation in the wild and no publicly available proof-of-concept exploit. We could not confirm that CVE-2025-37093 has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog. That is the current picture, not a guarantee about the future — backup and data-protection systems are a recurring target for ransomware operators precisely because compromising them undermines an organization's ability to recover. The absence of a public exploit is a reason to patch on a planned schedule, not a reason to defer.
Am I exposed?
You should treat your environment as in-scope if any of the following are true:
- You run HPE StoreOnce Software (including StoreOnce VSA deployments) at a version below 4.3.11.
- A StoreOnce management interface is reachable from networks beyond your trusted backup administration segment.
To check your version, log into the StoreOnce management console and review the software/firmware version, or query it through your central management tooling. If you are unsure which appliances are in service or what versions they run, an inventory of your backup estate is the right first step — backup targets are easy to overlook in patch programs because they are not user-facing.
How to fix it
Apply the patch. Upgrade all affected HPE StoreOnce systems to version 4.3.11 or later. This single release remediates CVE-2025-37093 and the seven companion CVEs (CVE-2025-37089 through CVE-2025-37096). There is no partial fix — 4.3.11 is the remediation for the entire set.
HPE has not published a standalone workaround that fully mitigates CVE-2025-37093, so upgrading is the authoritative fix. Until every appliance is on 4.3.11, sound interim hardening reduces exposure:
- Restrict network reachability. Ensure StoreOnce management interfaces are only accessible from a dedicated, tightly controlled backup-administration network — never from general user VLANs or the internet.
- Tighten firewall and ACL rules so that only known administrative hosts can reach the appliance's management plane.
- Increase monitoring of authentication and management activity on the appliances while you schedule the upgrade.
Treat these as risk reduction during the upgrade window, not as substitutes for 4.3.11. Validate backup and restore operations after upgrading.
How Uniqcli helps
Uniqcli is an authorized reseller for HPE, HPE Aruba Networking, and HPE Juniper Networking, working with US federal, SLED, healthcare, and enterprise customers. For this advisory we can:
- Assess your exposure — inventory StoreOnce appliances across your environment, confirm running versions, and identify which systems need to move to 4.3.11.
- Source patched or replacement hardware — where appliances are end-of-support or you are planning a refresh of your backup estate, we can quote current StoreOnce systems and compatible alternatives.
- Support the upgrade — coordinate the path to 4.3.11 with your team and HPE support, and help validate backup/restore integrity afterward.
Procurement is available through the vehicles public-sector buyers rely on, including TAA-compliant products, GSA, and SEWP. If you need help confirming whether your StoreOnce systems are affected or planning remediation, contact our team.
Sources
- HPE issues security patch for StoreOnce bug allowing remote authentication bypass — The Hacker News
- Critical Vulnerability in HPE StoreOnce: CVE-2025-37093 — Quorum Cyber
- Multiple Vulnerabilities in HPE StoreOnce Software Could Allow for Remote Code Execution (2025-054) — Center for Internet Security
- CVE-2025-37093 analysis — Arctic Wolf
- Hewlett Packard Enterprise warns of critical StoreOnce auth bypass — BleepingComputer
- HPE patches critical vulnerability in StoreOnce — SecurityWeek