Description
Quest NetVault Backup NVBULibrarySlot SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Quest NetVault Backup. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.

The specific flaw exists within the processing of NVBULibrarySlot JSON-RPC messages. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of NETWORK SERVICE. Was ZDI-CAN-27630.
Published: 2026-06-24
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a SQL injection flaw in the NVBULibrarySlot JSON‑RPC handler of Quest NetVault Backup. The bug results from insufficient sanitization of a user‑supplied string that is later incorporated into SQL statements, allowing an attacker to inject arbitrary SQL. When successful, the injection grants code execution privileges under the NETWORK SERVICE account. Although the product requires authentication to access the endpoint, the authentication mechanism can be bypassed, so a remote attacker can obtain the necessary privileges without valid credentials.

Affected Systems

Quest NetVault Backup is affected. No specific version information is supplied in the CNA data, but the issue is documented in the 14.0.2 release notes.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity level. EPSS information is unavailable, so exploitation probability is unknown, and the vulnerability is not currently listed in CISA’s KEV catalog. The flaw can be exploited remotely through the JSON‑RPC interface, and an attacker can bypass authentication controls, enabling arbitrary code execution and potentially compromising the entire backup system and underlying host.

Generated by OpenCVE AI on June 25, 2026 at 00:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Quest NetVault Backup to the latest version that contains the fix referenced in the support release notes, such as 14.0.2 or newer.
  • Restrict network access to the NetVault Backup JSON‑RPC service by allowing only trusted hosts and blocking exposure to the public internet.
  • Ensure that authentication requires strong credentials and disable or heavily restrict remote JSON‑RPC access for unauthenticated users until the patch is applied.

Generated by OpenCVE AI on June 25, 2026 at 00:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Quest NetVault Backup NVBULibrarySlot SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Quest NetVault Backup. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of NVBULibrarySlot JSON-RPC messages. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of NETWORK SERVICE. Was ZDI-CAN-27630.
Title Quest NetVault Backup NVBULibrarySlot SQL Injection Remote Code Execution Vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: zdi

Published:

Updated: 2026-06-24T23:14:57.747Z

Reserved: 2026-05-27T22:29:59.052Z

Link: CVE-2026-9785

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T00:45:05Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')