Quest NetVault Backup NVBULibrarySlot SQL Injection Vulnerability (CVE-2026-9785) Allows Remote Code Execution

A critical SQL injection vulnerability has been disclosed in Quest NetVault Backup's NVBULibrarySlot component, tracked as CVE-2026-9785 with a CVSS score of 8.8. The flaw allows remote authenticated attackers to execute arbitrary code, and the existing authentication mechanism can be bypassed, increasing the risk. Quest has issued a patch, and users are urged to apply it immediately.

The vulnerability resides in the processing of NVBULibrarySlot JSON-RPC messages. The issue stems from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of NETWORK SERVICE, potentially leading to full system compromise.

Quest NetVault Backup is a widely used enterprise backup and recovery solution. The product is deployed across various industries, making this vulnerability a significant concern for organizations relying on it for data protection. The ability to bypass authentication further amplifies the risk, as attackers may not need valid credentials to exploit the flaw.

Quest has released an update to address this vulnerability. Details can be found in the release notes for NetVault Backup 14.0.2 at Quest Support. Users are strongly advised to apply the patch as soon as possible to mitigate the risk of exploitation.

The disclosure timeline indicates that the vulnerability was reported to Quest on September 24, 2025, and the coordinated public release occurred on June 24, 2026. This six-month window allowed Quest to develop and test the fix before public disclosure.

This vulnerability is part of a series of recent disclosures affecting Quest NetVault Backup, including other SQL injection and command injection flaws in different components. Organizations should review their security posture and ensure all components are updated to the latest versions to protect against these threats.