Critical SQL Injection Vulnerability in Quest NetVault Backup Disclosed

A critical vulnerability, CVE-2026-9783, has been identified in Quest NetVault Backup, allowing remote attackers to execute arbitrary code. This SQL injection flaw is found in the processing of NVBURemovableMedia JSON-RPC messages, where inadequate validation of user-supplied strings leads to SQL query manipulation. Although authentication is required for exploitation, it can be bypassed, increasing the risk of unauthorized access. The vulnerability affects installations of Quest NetVault Backup and can execute code in the context of NETWORK SERVICE. Quest has released an update to address this issue. The CVE was published on June 24, 2026, and security professionals are advised to apply the patch immediately.

Key Points: • CVE-2026-9783 allows remote code execution via SQL injection in Quest NetVault Backup. • Authentication can be bypassed, increasing the vulnerability's risk level. • Quest has issued a patch to mitigate the vulnerability.