4 min read
By: RedLegg's Cyber Threat Intelligence Team
About:
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Authentication Bypass Vulnerability in HPE StoreOnce Software
CVSS Score: 9.8 (Critical)
Identifier: CVE-2025-37093
Exploit or POC: No known public exploit
Update: CVE-2025-37093 – HPE Security Bulletin
Description: CVE-2025-22252 is a critical vulnerability affecting Fortinet products configured to use TACACS+ authentication with ASCII authentication. The flaw arises from missing authentication for a critical function, allowing an attacker with knowledge of an existing admin account to bypass authentication and gain administrative access to the device. This vulnerability specifically affects the GUI component of the affected products. Configurations using PAP, MSCHAP, or CHAP authentication methods are not impacted.
Affected Versions:
- HPE StoreOnce Software versions prior to 4.3.11
Mitigation Recommendation: HPE has released version 4.3.11 to address this vulnerability. Organizations using affected versions should upgrade immediately to prevent unauthorized access. If immediate patching is not feasible, it is strongly recommended to implement network segmentation to restrict access to the affected systems, monitor for any suspicious activity, and consult HPE support for additional mitigation strategies.
Note: Given the critical severity of this vulnerability and the potential for complete system compromise, prompt action is essential to secure affected systems. Regularly reviewing and applying security updates is vital to maintaining the integrity and security of your infrastructure.
