HPE Patches Critical Vulnerability in StoreOnce

An HPE StoreOnce vulnerability allows attackers to bypass authentication, potentially leading to remote code execution.

Hewlett Packard Enterprise (HPE) this week announced fixes for multiple vulnerabilities in StoreOnce software, including a critical flaw leading to authentication bypass.

The StoreOnce software powers HPE’s storage products, which are secondary storage systems that provide data protection, copy management, backup, and deduplication capabilities, to increase efficiency. StoreOnce VSA, a virtual appliance offering the same functionality, is also available.

The critical issue addressed in StoreOnce this week, tracked as CVE-2025-37093 (CVSS score of 9.8), was discovered in the software’s implementation of the machineAccountCheck method.

“The issue results from improper implementation of an authentication algorithm. An attacker can leverage this vulnerability to bypass authentication on the system,” a ZDI advisory reads.

CVE-2025-37093 does not appear to have been exploited in the wild, but it is not uncommon for threat actors to target backup ...