The Hewlet Pacord Enterprise (HPE) has released a security bulletin, which is to warns about the eight weaknesses affecting the Startons, its disc-based backup and the Diduplication solution.
among This time the flaws were fixed There is a significant severity (CVSS V3.1 Score: 9.8) Certified under certification bypass vulnerability Cve-2025-37093Three remote code execution bugs, two directors traversal problems, and a server-side request problem.
Flaws V4.3.3.11 affects all versions of the HPE Storeonce software, which is now the recommended upgrade version.
Here is a complete list of eight weaknesses fixed in version 4.3.11:
- Cve-2025-37089 – Distance Code Performance
- Cve-2025-37090 -Servar-side request forgery
- Cve-2025-37091 – Distance Code Performance
- Cve-2025-37092 – Distance Code Performance
- Cve-2025-37093 – Certification bypass
- Cve-2025-37094 – Directory Traversal Arbitrary File Eradication
- Cve-2025-37095 – Directory Traversal Information Disclosure
- Cve-2025-37096 – Distance Code Performance
This time several details about the flaws were not disclosed.
However, zero day initiative (ZDi), which discovered them, Mention This is present within the implementation of the CVE-2025-37093 Machineaccountcheck method, resulting in improper implementation of a certification algorithm.
Although the CVE-2025-37093 is only evaluated as importantness, others still take significant risks, even though they are usually less classified in severity ratings.
The ZDi states that the authentication bypass problem is the key to unlocking capacity in all other flaws, so their risk is no different.
CVE-2025-3794 and CVE-2025-37095, examples of two medium-seriousness file deletion and information disclosure defects suggest that whatever is reflected in the score is easier than what is reflected in the score.
“This vulnerability allows remote attackers to disclose sensitive information on the affected establishments of Hewlet Pacord Enterprise Storage VSA,” ZDi explains,
“Although taking advantage of this vulnerability requires authentication, the existing authentication mechanism can be bypassed.”
In particular, flaws were discovered and informed to HPE in October 2024, with the passage of seven months until the fixes finally became available to the customers. Nevertheless, there is no report of active exploitation.
HPE Storeonce is usually used for backup and recovery in organizations that handle large enterprises, data centers, cloud service providers and generally, large data or large virtuous environment.
Storeonce HPE integrates with backup software such as data protector, veeam, commvault, and Veritas Netbackup, ensuring business continuity and effective backup management.
It is said, administrators of the potentially affected environment should take immediate action and implement the security update available to close the gaps.
HPE has not listed any mitigation or work -round for eight flaws in the bulletin, so upgrading is a recommended solution.
Manual patching is old. It is slow, error-prone and hard for scale.
On June 4, join Kandji + Tines, to see why the older methods are short. See the real -world examples of how modern teams use automation to patch rapid patching, risk cuts, obedient stay and leaving complex scripts.
