Hewlett Packard Enterprise (HPE) this week announced fixes for multiple vulnerabilities in StoreOnce software, including a critical flaw leading to authentication bypass.

The StoreOnce software powers HPE’s storage products, which are secondary storage systems that provide data protection, copy management, backup, and deduplication capabilities, to increase efficiency. StoreOnce VSA, a virtual appliance offering the same functionality, is also available.

The critical issue addressed in StoreOnce this week, tracked as CVE-2025-37093 (CVSS score of 9.8), was discovered in the software’s implementation of the machineAccountCheck method.

“The issue results from improper implementation of an authentication algorithm. An attacker can leverage this vulnerability to bypass authentication on the system,” a ZDI advisory reads.

CVE-2025-37093 does not appear to have been exploited in the wild, but it is not uncommon for threat actors to target backup solutions, security firm Arctic Wolf warns.

“Arctic Wolf has not observed any active exploitation of this vulnerability in the wild or any publicly available proof-of-concept (PoC) exploit. However, threat actors may target it in the near future, as backup solutions have been frequent targets in the past,” the company notes.

HPE addressed the bug with the release of StoreOnce version 4.3.11. The update also resolves seven other security defects, including four rated ‘high severity’ that could lead to remote code execution (RCE).

While all four RCE flaws require authentication to be exploited, they could be chained with the critical authentication bypass to fully compromise vulnerable systems.