Security update: Various attacks on HPE StoreOnce possible

Eight software vulnerabilities in HPE's StoreOnce backup solution make systems vulnerable to attack. These include a "critical" vulnerability. Malicious code can reach PCs via further attacks. A version protected against possible attacks is now available for download. HPE states that it has reported the gaps in collaboration with the security researchers from Trend Micro's Zero Day Initiative.

The security issues

The vulnerabilities are listed in a warning message. If attackers successfully exploit the critical vulnerability (CVE-2025-37093), they can bypass authentication in an unspecified way.

In several cases, attackers can push their own code onto systems and execute it (e.g. CVE-2025-3708 "high"). They then usually gain full control over computers. Such attacks should be possible remotely. Attackers can also access data that is actually sealed off (CVE-2025-37095 "medium"). Manipulating access to files is also possible, and attackers should even be able to delete data.

Security update now available

To prevent the attacks described, administrators must install HPE StoreOnce 4.3.11. The developers state that all previous versions are vulnerable. So far, there are no reports of ongoing attacks. It is also unclear which parameters admins can use to recognize systems that have already been attacked.

HPE Aruba last made headlines in April of this year with various security vulnerabilities in access points, among other things. Malicious code attacks can also occur in this context.

(des)