Full Report
Hewlett Packard Enterprise (HPE) has released security updates to address as many as eight vulnerabilities in its StoreOnce data backup and deduplication solution that could result in an authentication bypass and remote code execution. "These vulnerabilities could be remotely exploited to allow remote code execution, disclosure of information, server-side request forgery, authentication bypass,
Analysis Summary
# Vulnerability: HPE StoreOnce Authentication Bypass Leading to RCE
## CVE Details
- CVE ID: CVE-2025-37093 (Primary focus, critical)
- CVSS Score: 9.8 (Critical)
- CWE: Authentication bypass vulnerability (related to improper implementation of an authentication algorithm)
**Note:** The advisory covers eight vulnerabilities in total, including CVE-2025-37089 through CVE-2025-37096. CVE-2025-37093 is the critical authentication bypass flaw.
## Affected Systems
- Products: Hewlett Packard Enterprise (HPE) StoreOnce (data backup and deduplication solution)
- Versions: All versions prior to 4.3.11
- Configurations: Not specified, implies default installation is vulnerable.
## Vulnerability Description
CVE-2025-37093 is a critical authentication bypass vulnerability rooted in the improper implementation of the `machineAccountCheck` method within StoreOnce. An unauthenticated, remote attacker can leverage this flaw to bypass the system's authentication mechanisms. This specific vulnerability can be chained with other disclosed flaws (including RCE, SSRF, and arbitrary file deletion issues) to potentially achieve full remote code execution in the context of the root user.
## Exploitation
- Status: No reports of active exploitation, but a critical pathway exists.
- Complexity: Implied Low, given the context of other associated vulnerabilities that can lead to RCE, suggesting straightforward chaining potential for advanced exploitation.
- Attack Vector: Network (Remote exploitation possible)
## Impact
- Confidentiality: High (Potential information disclosure via chained attacks)
- Integrity: High (Potential for arbitrary file deletion and RCE)
- Availability: High (Potential for system disruption via RCE)
## Remediation
### Patches
- Users must update HPE StoreOnce software to **version 4.3.11 or later** to patch CVE-2025-37093 and the associated vulnerabilities.
### Workarounds
- The advisory does not explicitly list workarounds, but securing network access to the StoreOnce management interface is a critical temporary step given the remote nature of the flaw.
## Detection
- **Indicators of Compromise (IOCs):** Monitor system logs for unusual authentication failures or successful logins from unexpected sources, especially preceding any observed RCE, file modification (arbitrary file deletion), or unexpected service behavior changes.
- **Detection Methods and Tools:** Standard network intrusion detection systems (NIDS) monitoring traffic targeting the StoreOnce management plane may provide detection capabilities if attack patterns specific to the `machineAccountCheck` call are identified in vendor signatures. Thorough scanning against the known vulnerable version is the best proactive measure.
## References
- Vendor Advisory: h
- ZDI Advisory for Auth Bypass (CVE-2025-37093): h
- ZDI Advisory for File Deletion (Chained Flaw): h
- HPE Advisory Link (General fix information): h