Quest NetVault Backup NVBULibraryPort SQL Injection Vulnerability (CVE-2026-9784) Allows Remote Code Execution
A critical SQL injection flaw in Quest NetVault Backup's NVBULibraryPort component, tracked as CVE-2026-9784 with a CVSS score of 8.8, allows authenticated attackers to bypass authentication and execute arbitrary code.
Zero Day Initiative has disclosed a critical SQL injection vulnerability in Quest NetVault Backup's NVBULibraryPort component, tracked as CVE-2026-9784 with a CVSS score of 8.8. The flaw, detailed in advisory ZDI-26-373, allows remote authenticated attackers to bypass authentication mechanisms and execute arbitrary code on affected installations.
The vulnerability resides in the processing of NVBULibraryPort JSON-RPC messages. Specifically, the issue stems from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this flaw to execute code in the context of NETWORK SERVICE, a built-in Windows account with elevated privileges.
Quest NetVault Backup is a widely used enterprise backup and recovery solution deployed across organizations of all sizes. The vulnerability affects all installations of the software, making it a significant threat to enterprise environments that rely on NetVault Backup for data protection and disaster recovery.
Quest has issued an update to correct this vulnerability. Users are urged to apply the patch immediately, available in the NetVault Backup 14.0.2 release notes. The update addresses the SQL injection flaw and should be deployed as soon as possible to mitigate the risk of exploitation.
The disclosure timeline shows the vulnerability was reported to Quest on September 24, 2025, with coordinated public release on June 24, 2026. The advisory was updated on the same day. The researcher credited with discovering the flaw is identified by the hash 06fe5fd2bc53027c4a3b7e395af0b850e7b8a044.
This disclosure is part of a broader pattern of SQL injection vulnerabilities discovered in Quest NetVault Backup. Recent advisories have highlighted similar flaws in other components, including NVBULibrarySlot (CVE-2026-9785) and NVBUDashboard (CVE-2026-9786), indicating a systemic issue with input validation across the product's codebase.
Organizations using Quest NetVault Backup should prioritize patching CVE-2026-9784 and the related vulnerabilities to prevent potential breaches. Given the critical severity and the ability to bypass authentication, attackers could use this flaw to gain a foothold in enterprise networks, potentially leading to data theft, ransomware deployment, or lateral movement.