HPE StoreOnce Flaws Expose Firms to Remote Code Attacks

Hewlett Packard Enterprise (HPE) has patched multiple critical vulnerabilities in its StoreOnce data protection platform that could allow remote code execution, authentication bypass, and unauthorized access to enterprise storage systems. The flaws impact StoreOnce VSA versions prior to 4.3.11 and pose significant risk to backup infrastructure.

The most severe issue, CVE-2025-37093, carries a CVSS score of 9.8 and enables unauthenticated attackers to bypass access controls. Additional vulnerabilities—CVE-2025-37089, CVE-2025-37091, CVE-2025-37092, and CVE-2025-37096—allow remote code execution by users with high privileges. Two other flaws, CVE-2025-37094 and CVE-2025-37095, expose systems to arbitrary file deletion and information disclosure.

All vulnerabilities are exploitable over networks with low attack complexity, widening the attack surface. Researchers working with Trend Micro’s Zero Day Initiative discovered the issues. HPE has released StoreOnce version 4.3.11 to address the flaws and urges customers to update immediately and implement network segmentation and vulnerability scanning protocols.