Quest NetVault Backup NVBUDeviceDrive SQL Injection Vulnerability (CVE-2026-9782) Allows Remote Code Execution
A critical SQL injection flaw in Quest NetVault Backup's NVBUDeviceDrive component, tracked as CVE-2026-9782 with a CVSS score of 8.8, allows remote attackers to bypass authentication and execute arbitrary code.
A critical SQL injection vulnerability has been disclosed in Quest NetVault Backup, a widely used enterprise backup and recovery solution. The flaw, tracked as CVE-2026-9782 and assigned a CVSS score of 8.8, resides in the NVBUDeviceDrive component and allows remote attackers to bypass authentication and execute arbitrary code on affected installations.
The vulnerability was reported by the Zero Day Initiative (ZDI) as ZDI-26-371. According to the advisory, the specific flaw exists within the processing of NVBUDeviceDrive JSON-RPC messages. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed, making the attack feasible for remote, unauthenticated actors.
An attacker can leverage this SQL injection to execute code in the context of NETWORK SERVICE, a built-in Windows account with limited privileges. However, successful exploitation could still lead to full compromise of the backup server, potentially exposing sensitive backup data and providing a foothold for lateral movement within the enterprise network.
Quest has issued an update to correct this vulnerability. The fix is included in NetVault Backup version 14.0.2, as detailed in the release notes available on Quest's support portal. All installations of Quest NetVault Backup prior to this version are considered vulnerable. Organizations running NetVault Backup are strongly advised to apply the patch as soon as possible.
The disclosure timeline shows that the vulnerability was reported to Quest on September 24, 2025, and the coordinated public release of the advisory occurred on June 24, 2026. The advisory was updated on the same day. The researcher who discovered the flaw is credited under the identifier 06fe5fd2bc53027c4a3b7e395af0b850e7b8a044.
This vulnerability is part of a series of SQL injection flaws recently disclosed in Quest NetVault Backup, including similar issues in the NVBUDashboard (CVE-2026-9786), NVBULibrarySlot (CVE-2026-9785), and NVBULibraryPort (CVE-2026-9784) components. The recurring pattern of SQL injection vulnerabilities in the product underscores the importance of thorough input validation in enterprise backup software, where such flaws can have severe consequences.
Given the critical severity and the ability to bypass authentication, CVE-2026-9782 poses a significant risk to organizations that rely on Quest NetVault Backup for data protection. Administrators should prioritize patching and review their backup infrastructure for any signs of compromise. The vulnerability is not yet known to be exploited in the wild, but the public disclosure of technical details increases the likelihood of attacks.