On 2 June 2025, Hewlett Packard Enterprise (HPE) released fixes for multiple vulnerabilities affecting HPE StoreOnce VSA, an enterprise backup storage solution. The most severe of these was CVE-2025-37093, a critical authentication bypass vulnerability discovered by the Zero Day Initiative (ZDI). The flaw resides in the implementation of the machineAccountCheck method and stems from improper handling of an authentication algorithm. CVE-2025-37093 can potentially be chained with other, lower-severity vulnerabilities to achieve outcomes such as remote code execution, information disclosure, and directory traversal.
Arctic Wolf has not observed any active exploitation of this vulnerability in the wild or any publicly available proof-of-concept (PoC) exploit. However, threat actors may target it in the near future, as backup solutions have been frequent targets in the past—evidenced by several vulnerabilities listed in CISA’s Known Exploited Vulnerabilities Catalog.
Recommendation for CVE-2025-37093
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version.
| Product | Affected Version | Fixed Version |
| HPE StoreOnce VSA | Versions prior to 4.3.11 | 4.3.11 or later |
Please follow your organisation’s patching and testing guidelines to minimise potential operational impact.
References
Resources
