Quest NetVault Backup NVBURASDevice SQL Injection Vulnerability (CVE-2026-9781) Allows Remote Code Execution

A critical SQL injection vulnerability has been disclosed in Quest NetVault Backup, a widely used enterprise backup and recovery solution. The flaw, tracked as CVE-2026-9781 and assigned a CVSS score of 8.8, resides in the NVBURASDevice component and allows remote attackers to execute arbitrary code on affected installations.

The vulnerability stems from improper validation of user-supplied strings when processing NVBURASDevice JSON-RPC messages. Attackers can leverage this to construct malicious SQL queries, potentially bypassing authentication mechanisms. Successful exploitation could allow an attacker to execute arbitrary code in the context of the NETWORK SERVICE account, granting significant control over the affected system.

Quest NetVault Backup is deployed across numerous organizations for data protection, making this vulnerability particularly concerning. The flaw was reported to Quest on September 24, 2025, and a coordinated public advisory was released on June 24, 2026. Quest has issued a patch to address the issue, and users are strongly urged to apply it immediately.

The disclosure follows a series of similar vulnerabilities in Quest NetVault Backup, including SQL injection flaws in other components such as NVBUDeviceDrive (CVE-2026-9782), NVBUDashboard (CVE-2026-9786), NVBULibraryPort (CVE-2026-9784), and NVBULibrarySlot (CVE-2026-9785). These vulnerabilities highlight the importance of thorough input validation in enterprise software.

Organizations using Quest NetVault Backup should prioritize updating to the latest version as specified in the release notes. Until patched, administrators should restrict network access to the affected components and monitor for suspicious activity. The ZDI advisory credits the discovery to researcher 06fe5fd2bc53027c4a3b7e395af0b850e7b8a044.