VYPR
Published Jun 24, 2026· Updated Jul 3, 2026· 1 source

Quest NetVault Backup: Ten Critical RCE and Auth Bypass Flaws Disclosed Together

Key findings • Ten vulnerabilities in Quest NetVault Backup disclosed on June 24, 2026. • Multiple SQL injection and command injection flaws allow for remote code execution. • Cross-site …

Key findings

  • Ten vulnerabilities in Quest NetVault Backup disclosed on June 24, 2026.
  • Multiple SQL injection and command injection flaws allow for remote code execution.
  • Cross-site scripting vulnerabilities enable authentication bypass.
  • The batch includes critical severity flaws affecting core components.
  • Users should apply Quest's security updates promptly.

On June 24, 2026, Quest disclosed a batch of ten vulnerabilities affecting its NetVault Backup software. The vulnerabilities, disclosed simultaneously, include several critical SQL injection and command injection flaws, alongside authentication bypasses via cross-site scripting (XSS). These issues collectively pose a significant risk to users, potentially allowing remote attackers to execute arbitrary code and bypass security measures.

The majority of the disclosed vulnerabilities are SQL injection flaws, each leading to remote code execution. These affect various components within NetVault Backup, including NVBUDashboard (CVE-2026-9786, CVE-2026-7570), NVBULibrarySlot (CVE-2026-9785), NVBULibraryPort (CVE-2026-9784), NVBURemovableMedia (CVE-2026-9783), NVBUDeviceDrive (CVE-2026-9782), and NVBURASDevice (CVE-2026-9781). Additionally, a command injection vulnerability in NVBULogDaemon (CVE-2026-9787) also permits remote code execution.

Further compounding the risk, two cross-site scripting (XSS) vulnerabilities were disclosed, both enabling authentication bypass. These affect the viewclient component (CVE-2026-7569) and the addclient3 functionality (CVE-2026-9780). Exploiting these XSS flaws requires user interaction, typically involving the victim visiting a malicious webpage.

While the exact patch details or version numbers were not specified in the disclosure, the simultaneous release of these ten CVEs suggests a comprehensive security update is likely available or imminent from Quest. Users of NetVault Backup are strongly advised to consult Quest's official advisories and apply any relevant patches as soon as possible to mitigate the risks associated with these critical vulnerabilities. The concentration of severe flaws, particularly those allowing code execution and authentication bypass, underscores the importance of prompt remediation for maintaining the security posture of backup infrastructure.

Synthesized by Vypr AI