Critical SQL Injection Vulnerability in Quest NetVault Backup Allows Remote Code Execution (CVE-2026-7570)
A critical SQL injection vulnerability in Quest NetVault Backup's NVBUDashboard component, tracked as CVE-2026-7570 with a CVSS score of 8.8, allows authenticated attackers to bypass authentication and execute arbitrary code.
Zero Day Initiative has disclosed a critical SQL injection vulnerability (CVE-2026-7570) in Quest NetVault Backup, specifically within the NVBUDashboard component. The flaw, rated CVSS 8.8 (High), allows remote authenticated attackers to bypass the existing authentication mechanism and execute arbitrary code on affected installations of the backup and recovery software.
The vulnerability exists in the processing of JSON-RPC messages by NVBUDashboard. The issue stems from insufficient validation of user-supplied strings before they are used to construct SQL queries. An attacker can exploit this SQL injection to execute arbitrary code in the context of the NETWORK SERVICE account, which could then be leveraged for further lateral movement or privilege escalation within an enterprise environment.
Quest NetVault Backup is widely deployed in enterprise environments to manage backup, recovery, and deduplication operations across mixed IT infrastructures. Organizations using vulnerable versions of NetVault Backup are at risk of unauthorized data access, ransomware deployment, or complete compromise of backup infrastructure, which could cripple disaster recovery capabilities.
Quest has released an update to address this vulnerability. The vendor's advisory, available in the NetVault 14.0.2 release notes, contains details on the patch. Users are strongly urged to upgrade to the latest version immediately to prevent potential exploitation.
The vulnerability was reported to Quest on September 24, 2025, and the coordinated advisory was publicly released on June 24, 2026. The discovery is credited to the researcher identified by the hash 06fe5fd2bc53027c4a3b7e395af0b850e7b8a044.
This disclosure is part of a steady stream of vulnerabilities targeting enterprise backup software, which are attractive targets for ransomware groups and advanced persistent threats (APTs) due to their elevated privileges and access to critical data. Organizations using NetVault Backup should prioritize patching to fortify their defenses against such attacks.