Critical HPE StoreOnce Flaws Allow Remote Code Execution by Attackers

Hewlett-Packard Enterprise (HPE) has issued a critical security bulletin (HPESBST04847 rev. 1) warning users of multiple high-impact vulnerabilities in its StoreOnce Software, specifically affecting versions before 4.3.11.

The vulnerabilities, if exploited, could allow attackers to bypass authentication, execute arbitrary code remotely, perform server-side request forgery (SSRF), delete files, and access sensitive information via directory traversal.

One of the most severe vulnerabilities, tracked as CVE-2025-37093, enables remote attackers to bypass authentication entirely, granting unauthorized access to affected StoreOnce VSA systems.

This flaw, rooted in the improper implementation of the machineAccountCheck method, allows adversaries to gain system-level privileges without any user interaction or credentials.

With a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), it is classified as “critical” and requires immediate attention.

CVEs, Attack Vectors, and Severity

The ...