Description
Quest NetVault Backup NVBURemovableMedia SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Quest NetVault Backup. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.

The specific flaw exists within the processing of NVBURemovableMedia JSON-RPC messages. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of NETWORK SERVICE. Was ZDI-CAN-27632.
Published: 2026-06-24
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic SQL injection in the NVBURemovableMedia JSON‑RPC handler where a user supplied string is concatenated directly into a SQL query without validation. If exploited, the attacker can run arbitrary code on the server process with the privileges of the NETWORK SERVICE account, giving them full control over the system. The weakness is identified as CWE‑89 and carries a CVSS score of 8.8, indicating high severity.

Affected Systems

Quest NetVault Backup installations are affected. No specific version range is provided in the data, but the referenced release notes point to version 14.0.2, suggesting earlier releases may also be vulnerable.

Risk and Exploitability

An attacker must reach the target machine and be able to send authenticated JSON‑RPC traffic, but the existing authentication can be bypassed. Because the vulnerability can be triggered remotely, a malicious actor can execute code without local access. The EPSS score is not available, and the issue is not listed in CISA KEV, so while exploitation risk is not quantified, the high CVSS and remote code execution nature warrant immediate attention.

Generated by OpenCVE AI on June 25, 2026 at 00:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Quest NetVault Backup patch that addresses the NVBURemovableMedia SQL injection. This is the most effective protection against remote code execution.
  • Restrict network access to the JSON‑RPC service: limit connections to trusted hosts or subnets via firewall rules or VPNs, reducing the attack surface.
  • If removable media functionality is not required, disable or remove it to eliminate the vulnerable processing path.

Generated by OpenCVE AI on June 25, 2026 at 00:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Quest NetVault Backup NVBURemovableMedia SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Quest NetVault Backup. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of NVBURemovableMedia JSON-RPC messages. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of NETWORK SERVICE. Was ZDI-CAN-27632.
Title Quest NetVault Backup NVBURemovableMedia SQL Injection Remote Code Execution Vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: zdi

Published:

Updated: 2026-06-24T23:14:39.270Z

Reserved: 2026-05-27T22:28:42.965Z

Link: CVE-2026-9783

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T00:45:05Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')