Quest NetVault Backup NVBURemovableMedia SQL Injection Vulnerability (CVE-2026-9783) Allows Remote Code Execution
A critical SQL injection flaw in Quest NetVault Backup's NVBURemovableMedia component, tracked as CVE-2026-9783 with a CVSS score of 8.8, allows authenticated attackers to bypass authentication and execute arbitrary code.
Zero Day Initiative (ZDI) disclosed a critical SQL injection vulnerability in Quest NetVault Backup's NVBURemovableMedia component on June 24, 2026. Tracked as CVE-2026-9783 with a CVSS score of 8.8, the flaw allows remote authenticated attackers to bypass authentication and execute arbitrary code in the context of NETWORK SERVICE. The vulnerability affects all installations of the backup software, and Quest has released an update to address it.
The specific flaw exists within the processing of NVBURemovableMedia JSON-RPC messages. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of NETWORK SERVICE. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.
Quest NetVault Backup is a widely used enterprise backup and recovery solution. The NVBURemovableMedia component handles removable media operations, making it a critical part of the backup infrastructure. A successful exploit could allow an attacker to execute arbitrary code, potentially leading to data exfiltration, ransomware deployment, or lateral movement within the network.
Quest has issued an update to correct this vulnerability. The fix is included in NetVault Backup version 14.0.2, as detailed in the release notes. Users are strongly advised to apply the update immediately to mitigate the risk of exploitation. The disclosure timeline shows the vulnerability was reported to Quest on September 24, 2025, with the coordinated public release occurring on June 24, 2026.
This vulnerability is part of a broader pattern of SQL injection flaws discovered in Quest NetVault Backup by ZDI researchers. Multiple similar vulnerabilities have been disclosed in recent months, affecting components such as NVBURASDevice (CVE-2026-9781), NVBUDeviceDrive (CVE-2026-9782), NVBULibrarySlot (CVE-2026-9785), and NVBUDashboard (CVE-2026-9786). Each of these flaws shares a similar attack vector and impact, highlighting systemic issues in input validation across the product.
The disclosure of CVE-2026-9783 underscores the importance of rigorous input validation in enterprise backup software. Organizations using Quest NetVault Backup should prioritize patching to version 14.0.2 and review their security posture for other potential vulnerabilities in the product. As backup systems are prime targets for attackers seeking to disrupt recovery capabilities, timely patching is critical.