Quest NetVault Backup NVBUDashboard SQL Injection Vulnerability (CVE-2026-9786) Allows Remote Code Execution
A new SQL injection flaw in Quest NetVault Backup's NVBUDashboard component, tracked as CVE-2026-9786 with a CVSS score of 8.8, allows authenticated attackers to bypass authentication and execute arbitrary code.
Zero Day Initiative has disclosed a critical SQL injection vulnerability in Quest NetVault Backup's NVBUDashboard component, assigned CVE-2026-9786 with a CVSS score of 8.8. The flaw allows authenticated remote attackers to bypass existing authentication mechanisms and execute arbitrary code on affected installations of the backup software.
The vulnerability resides in the processing of JSON-RPC messages within the NVBUDashboard component. The issue stems from a lack of proper validation of user-supplied strings before they are used to construct SQL queries. An attacker can exploit this flaw to execute arbitrary code in the context of the NETWORK SERVICE account, which provides elevated privileges on the target system.
Quest NetVault Backup is a widely used enterprise backup and recovery solution deployed across many organizations to protect critical data. The NVBUDashboard component is a web-based interface that administrators use to manage backup jobs, monitor status, and configure settings. Because the dashboard is often exposed to internal networks, the attack surface is significant.
Quest has released an update to address this vulnerability. The fix is included in NetVault Backup version 14.0.2, and users are strongly advised to apply the patch immediately. The release notes can be found at Quest's support portal. No workarounds have been provided for unpatched installations.
This disclosure follows a series of ZDI advisories for Quest NetVault Backup, including a separate SQL injection (CVE-2026-7570) and a command injection (CVE-2026-9787) disclosed earlier this year. The pattern suggests that Quest's backup suite has been under active security scrutiny, and administrators should prioritize patching all components.
Organizations using Quest NetVault Backup should verify their deployment version and apply the 14.0.2 update as soon as possible. Given the high CVSS score and the ability to bypass authentication, this vulnerability poses a serious risk to enterprise backup infrastructure, which is often a high-value target for ransomware operators seeking to disable recovery capabilities.