Quest NetVault Backup NVBULogDaemon Command Injection Vulnerability (CVE-2026-9787) Enables Remote Code Execution
A command injection vulnerability in Quest NetVault Backup's NVBULogDaemon component, tracked as CVE-2026-9787 with a CVSS score of 8.8, allows authenticated attackers to bypass authentication and execute arbitrary code at the SYSTEM level.
Quest has disclosed a critical command injection vulnerability in its NetVault Backup solution, tracked as CVE-2026-9787, that allows remote attackers to execute arbitrary code on affected installations. The flaw resides in the NVBULogDaemon component and carries a CVSS score of 8.8, indicating high severity. Although authentication is required to exploit the vulnerability, the existing authentication mechanism can be bypassed, significantly lowering the barrier to attack.
The specific flaw exists within the processing of NVBULogDaemon JSON-RPC messages. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of SYSTEM, the highest level of privilege on Windows systems. This means a successful exploit could give an attacker complete control over the affected backup server.
Quest NetVault Backup is a widely used enterprise backup and recovery solution deployed across many organizations to protect critical data. The software is typically installed on servers that have access to sensitive data stores, making them high-value targets. A successful compromise could allow attackers to move laterally within a network, exfiltrate backup data, or deploy ransomware.
The vulnerability was reported to Quest on September 24, 2025, by a researcher identified by the hash 06fe5fd2bc53027c4a3b7e395af0b850e7b8a044. Quest has issued an update to correct the vulnerability, as detailed in the NetVault Backup 14.0.2 release notes. Users are strongly advised to apply the patch immediately.
This disclosure follows a pattern of recent vulnerabilities in Quest NetVault Backup. Earlier this year, ZDI disclosed CVE-2026-7569, an authentication bypass via cross-site scripting in the viewclient component, and CVE-2026-7570, a critical SQL injection in the NVBUDashboard component. The recurrence of critical flaws in the same product underscores the importance of maintaining up-to-date backup infrastructure.
Organizations using Quest NetVault Backup should prioritize applying the vendor's patch and review their authentication configurations to ensure that the authentication bypass vector is mitigated. Given the high CVSS score and the potential for SYSTEM-level code execution, this vulnerability should be treated as a critical security priority.