Description
Quest NetVault Backup NVBULogDaemon Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Quest NetVault Backup. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.

The specific flaw exists within the processing of NVBULogDaemon JSON-RPC messages. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-27625.
Published: 2026-06-24
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a command injection flaw in the NVBULogDaemon JSON‑RPC interface of Quest NetVault Backup. A remote attacker can supply an unvalidated string that is incorporated into a system call, allowing execution of arbitrary code with SYSTEM privileges and providing full control of the affected host. The weakness is described as CWE‑78, which denotes unsafe handling of system commands.

Affected Systems

The affected product is Quest NetVault Backup. No specific version information is provided in the CVE entry; however, the release notes for version 14.0.2 contain the fix, indicating that any earlier releases prior to 14.0.2 are vulnerable.

Risk and Exploitability

With a CVSS score of 8.8, the vulnerability is classified as high severity. The attacker requires authentication to access the NVBULogDaemon service, but the authentication mechanism can be bypassed, effectively allowing unauthenticated remote exploitation. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog, yet the potential to gain SYSTEM‑level access renders the risk significant and warrants immediate attention.

Generated by OpenCVE AI on June 25, 2026 at 00:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Quest NetVault Backup to the latest version that includes the fix, such as 14.0.2 or newer.
  • Restrict network access to the NVBULogDaemon service by limiting connections to trusted hosts or applying firewall rules.
  • If the NVBULogDaemon service is not essential, disable it or enforce strong authentication before allowing RPC calls.

Generated by OpenCVE AI on June 25, 2026 at 00:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Quest NetVault Backup NVBULogDaemon Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Quest NetVault Backup. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of NVBULogDaemon JSON-RPC messages. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-27625.
Title Quest NetVault Backup NVBULogDaemon Command Injection Remote Code Execution Vulnerability
Weaknesses CWE-78
References
Metrics cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: zdi

Published:

Updated: 2026-06-24T23:15:19.166Z

Reserved: 2026-05-27T22:31:02.769Z

Link: CVE-2026-9787

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T00:45:05Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')