CVE-2026-9781 - Vulnerability Details

Description

Quest NetVault Backup NVBURASDevice SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Quest NetVault Backup. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.

The specific flaw exists within the processing of NVBURASDevice JSON-RPC messages. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of NETWORK SERVICE. Was ZDI-CAN-27648.

Published: 2026-06-24

Score: 8.8 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The flaw lies in the handling of NVBURASDevice JSON‑RPC messages, where an unsanitized user‑supplied string is directly incorporated into SQL queries. This omission permits an attacker to inject arbitrary SQL and ultimately execute code with the privileges of the NETWORK SERVICE account. Though the product requires authentication, the existing mechanism can be bypassed, allowing unauthenticated attackers to access the vulnerable endpoint. The resulting code execution could compromise confidentiality, integrity, and availability of the affected system.

Affected Systems

Quest NetVault Backup installations that have not applied the latest patch or upgrade. The vulnerability is tied specifically to the NVBURASDevice JSON‑RPC component, hence any deployment that exposes this interface to the network is potentially vulnerable. Version specifics are not enumerated in the data, so all public‑facing instances of NetVault Backup are at risk until mitigated.

Risk and Exploitability

The CVSS score of 8.8 categorizes this issue as High severity. EPSS data is not available, making the current exploitation probability unclear, but the lack of authentication is mitigated only by a bypass that could be discovered or already in use. The vulnerability is not listed in the CISA KEV catalog, suggesting no publicly confirmed exploits yet, yet the remote nature of the attack vector and the ability to bypass authentication elevate the risk. The attack is likely to proceed over the network through the JSON‑RPC endpoint, requiring no local privileges.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Quest

NetVault Backup

unknown

Version	Status	Constraints
`14.0.0.19`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the vendor's latest patch for Quest NetVault Backup that addresses the NVBURASDevice JSON‑RPC vulnerability.
Restrict network access to the NVBURASDevice JSON‑RPC endpoint to trusted IP addresses or isolate it behind a firewall.
Implement a network boundary or intrusion detection system to monitor and block suspicious SQL injection patterns targeting the backup server.
If a patch is not immediately available, temporarily disable the NVBURASDevice JSON‑RPC interface or block it via firewall until remediation is applied.

Generated by OpenCVE AI on June 25, 2026 at 01:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://support.quest.com/technical-documents/netvault/14.0.2/release-notes#TOPIC-2338529
https://www.zerodayinitiative.com/advisories/ZDI-26-370/

History

Wed, 24 Jun 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description		Quest NetVault Backup NVBURASDevice SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Quest NetVault Backup. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of NVBURASDevice JSON-RPC messages. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of NETWORK SERVICE. Was ZDI-CAN-27648.
Title		Quest NetVault Backup NVBURASDevice SQL Injection Remote Code Execution Vulnerability
Weaknesses		CWE-89
References		https://support.quest.com/technical-documents/netvault/14.0.2/release-notes#TOPIC-2338529 https://www.zerodayinitiative.com/advisories/ZDI-26-370/
Metrics		cvssV3_0 `{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: zdi

Published: 2026-06-24T23:14:05.456Z

Updated: 2026-06-24T23:14:05.456Z

Reserved: 2026-05-27T22:28:02.900Z

Link: CVE-2026-9781

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-25T01:15:15Z

Weaknesses

CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object