Description
Quest NetVault Backup NVBUDeviceDrive SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Quest NetVault Backup. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.

The specific flaw exists within the processing of NVBUDeviceDrive JSON-RPC messages. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of NETWORK SERVICE. Was ZDI-CAN-27633.
Published: 2026-06-24
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the handling of NVBUDeviceDrive JSON‑RPC messages in Quest NetVault Backup allows an attacker to inject SQL statements. The lack of input validation enables a malicious user to execute arbitrary queries, leading to remote code execution. Because the authentication mechanism can be bypassed, an attacker does not need valid credentials, and any successful attack runs with NETWORK SERVICE privileges.

Affected Systems

Quest NetVault Backup installations are affected. The vulnerability is tied to the NVBUDeviceDrive component; specific product versions are not listed in the advisory but the recommendation is to apply any security patch or update available from Quest.

Risk and Exploitability

The CVSS score of 8.8 highlights a high impact and medium-to-high complexity. No EPSS score is provided, but the vulnerability is not listed in the CISA KEV catalog. Exploitation appears to require remote access to the JSON‑RPC interface, but authentication can be bypassed, which increases the likelihood of successful attacks. Once exploited, code runs with SYSTEM‑level privileges, allowing full compromise of the affected host.

Generated by OpenCVE AI on June 25, 2026 at 01:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Security Fix or update Quest NetVault Backup to a version that addresses the NVBUDeviceDrive SQL injection risk (CWE‑89).
  • Restrict network exposure of the JSON‑RPC endpoint so that only trusted hosts can reach it.
  • Implement strong authentication and consider multi‑factor authentication to block credential bypass.
  • If possible, disable or lock down the NVBUDeviceDrive functionality until a patch is applied.
  • Monitor system logs for anomalous SQL activity and account‑takeover attempts, and respond to indicators of compromise promptly.

Generated by OpenCVE AI on June 25, 2026 at 01:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Quest NetVault Backup NVBUDeviceDrive SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Quest NetVault Backup. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of NVBUDeviceDrive JSON-RPC messages. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of NETWORK SERVICE. Was ZDI-CAN-27633.
Title Quest NetVault Backup NVBUDeviceDrive SQL Injection Remote Code Execution Vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: zdi

Published:

Updated: 2026-06-24T23:14:30.557Z

Reserved: 2026-05-27T22:28:21.992Z

Link: CVE-2026-9782

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T01:15:15Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')