Quest NetVault Backup Authentication Bypass via XSS (CVE-2026-7569) Disclosed by ZDI
A high-severity cross-site scripting vulnerability in Quest NetVault Backup's viewclient component allows remote attackers to bypass authentication and potentially execute code as SYSTEM.
Zero Day Initiative (ZDI) has disclosed a new authentication bypass vulnerability in Quest NetVault Backup, tracked as CVE-2026-7569 with a CVSS score of 8.8. The flaw resides in the viewclient webpage component and stems from improper validation of user-supplied data, enabling attackers to inject arbitrary scripts. Successful exploitation requires user interaction—the target must visit a malicious page or open a malicious file—but the consequences are severe: an attacker can leverage the XSS in conjunction with other vulnerabilities to execute arbitrary code in the context of SYSTEM.
The vulnerability was reported to Quest on October 3, 2025, by Bobby Gould of Trend Micro's Zero Day Initiative. Quest has since released an update to address the issue, detailed in the NetVault Backup 14.0.2 release notes. The advisory was publicly released on June 24, 2026, following coordinated disclosure. Users are strongly urged to apply the vendor patch immediately to mitigate the risk of remote code execution.
Quest NetVault Backup is a widely used enterprise data protection solution, deployed across organizations of all sizes to manage backups for physical and virtual environments. The viewclient component is a web-based interface that allows administrators to monitor and manage backup operations. An XSS flaw in this interface could be exploited to steal session tokens, perform actions on behalf of an authenticated user, or—when combined with other bugs—achieve full system compromise.
The disclosure comes amid a broader trend of vulnerabilities in enterprise backup software, which are attractive targets for attackers seeking to disrupt operations or exfiltrate sensitive data. Backup systems often have elevated privileges and broad access to critical data, making authentication bypass flaws particularly dangerous. This is the second ZDI advisory for Quest NetVault Backup in recent months; earlier in June 2026, a critical SQL injection vulnerability (CVE-2026-7570) in the NVBUDashboard component was also disclosed.
Organizations using Quest NetVault Backup should prioritize patching to version 14.0.2 or later. As a temporary mitigation, administrators can restrict access to the viewclient interface to trusted IP addresses and enforce multi-factor authentication where possible. The vendor's advisory is available at Quest's support portal. Given the high CVSS score and the potential for SYSTEM-level code execution, this vulnerability warrants immediate attention from security teams.