A critical flaw in HPE StoreOnce Software, tracked as CVE-2025-37093, has come to light, revealing an authentication bypass vulnerability with a CVSS score of 9.8, underscoring its severity. This critical issue affects all versions of the software prior to v4.3.11, necessitating immediate attention from users.
Unearthed seven months ago, the vulnerability—characterized by improper authentication handling—has fortunately not yet been exploited in the wild, which should not lessen its urgency. Additionally, multiple security vulnerabilities have been identified in the HPE StoreOnce Software that compound the risk to users. Notably, all versions prior to 4.3.11 are vulnerable to these flaws, which underscores the importance of updating.
The vulnerability’s discovery seven months ago highlights its urgency, despite no known exploitation occurring in the wild.
In response to this potentially devastating flaw, HPE has released an updated version of StoreOnce Software—version 4.3.11—designed to rectify this and seven other vulnerabilities, including severe issues related to remote code execution, server-side request forgery, and directory traversal. Each of these vulnerabilities places user data and network integrity at significant risk, emphasizing the critical nature of prompt patch deployment.
HPE advises that the most effective mitigation strategy involves immediate updates to this latest version, given the absence of alternative protective measures.
Failure to act could result in unauthorized access, exploitation of network systems, and manipulation of sensitive data. Users must recognize the potential consequences of delaying this deployment, as past vulnerabilities have often been exploited precisely because of hesitance in applying patches. Even though there are currently no known instances of exploitation, security experts underscore that this does not preclude the possibility of future attacks.
Importantly, with the release of version 4.3.11, HPE has formally indicated that removal of the software until an update is feasible remains a prudent option for users who cannot update immediately. Continuous monitoring of systems for any signs of exploitation is similarly recommended.
