The Zero Day Initiative has published an advisory for a high-severity remote code execution vulnerability in Quest NetVault Backup, tracked as CVE-2026-9785 with a CVSS score of 8.8. The flaw was publicly disclosed on June 24, 2026, following responsible disclosure to Quest in September 2025.
Vulnerability Details
The vulnerability resides in the processing of NVBULibrarySlot JSON-RPC messages. The root cause is insufficient validation of user-supplied input before that input is incorporated into SQL query construction, a classic SQL injection pattern that in this case is exploitable for remote code execution.
While exploitation technically requires authentication, ZDI notes that the existing authentication mechanism can be bypassed, effectively lowering the barrier for unauthenticated attackers. Successful exploitation allows code to run in the context of NETWORK SERVICE.
CVSS Vector and Risk
The vulnerability carries a CVSS vector of AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, reflecting network accessibility, low attack complexity, and high impact across confidentiality, integrity, and availability. The combination of an authentication bypass with a network-exploitable injection flaw makes this a meaningful risk for organizations running NetVault Backup in environments accessible over the network.
Patch Availability
Quest has issued a corrective update. Administrators should consult the NetVault 14.0.2 release notes for patch details and apply the update promptly. Given the availability of an authentication bypass, relying on network segmentation alone is not a sufficient mitigation strategy.
Timeline
- September 24, 2025: Vulnerability reported to Quest
- June 24, 2026: Coordinated public advisory release
