1. Forum
  2. tqwNet
  3. TQW GENTECH

  • HPE flags critical StoreOnce auth bypass, users should update now

    From TechnologyDaily@1337:1/100 to All on Wed Jun 4 10:45:07 2025
    HPE flags critical StoreOnce auth bypass, users should update now

    Date:
    Wed, 04 Jun 2025 09:33:21 +0000

    Description:
    Eight vulnerabilities patched at once, including a critical severity auth bypass.

    FULL STORY ======================================================================HPE patches eight flaws in StoreOnce platform Among the flaws is a critical severity authentication bypass There are no workarounds and users are advised to patch up

    Hewlett Packard Enterprise (HPE) has revealed patches for a number of dangerous flaws affecting its data backup and recovery solution, StoreOnce, including a critical-severity bug which allows threat actors to gain full access to the vulnerable system without user interaction.

    The bug is tracked as CVE-2025-37093, and is described as an authentication bypass flaw stemming from improper authentication handling. It has a severity score of 9.8/10 (critical) and could potentially be abused to compromise system integrity, allow threat actors to access sensitive data, and lead to different disruptions and availability issues.

    Crooks could use it to deploy ransomware , steal sensitive data, or move laterally throughout the target network. Eight flaws patched

    In HPEs advisory, the company said all versions prior to 4.3.11 were vulnerable, and has urged users to update their software as soon as possible.

    There are no other mitigations or workarounds, so if you cant update your instance immediately, it would be best to remove the product until you can patch it.

    The issues were reportedly discovered seven months ago but apparently no one abused it in the wild so far.

    In total, HPE patched eight flaws this time around. While the authentication bypass is the most severe one, others are potentially dangerous, as well.

    Here is a list of other seven flaws HPE fixed in version 4.3.11:

    CVE-2025-37089 Remote Code Execution
    CVE-2025-37090 Server-Side Request Forgery
    CVE-2025-37091 Remote Code Execution
    CVE-2025-37092 Remote Code Execution
    CVE-2025-37094 Directory Traversal Arbitrary File Deletion
    CVE-2025-37095 Directory Traversal Information Disclosure
    CVE-2025-37096 Remote Code Execution

    HPE StoreOnce is a disk-based backup and recovery system that uses data deduplication to reduce storage needs.It is usually used by enterprises, government agencies, and mid-sized businesses with complex IT environments.

    StoreOnce supports integration with other backup and enterprise software,
    such as HPE Data Protector, Veeam, Veritas NetBackup, Commvault, and
    Microsoft Data Protection Manager. It also connects with cloud storage
    through HPE Cloud Bank Storage.

    Via BleepingComputer You might also like HPE reveals critical security bug affecting networking access points Take a look at our guide to the best authenticator app We've rounded up the best password managers



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/hpe-flags-critical-storeonce-auth-bypas s-users-should-update-now


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)