CVEs: CVE-2026-9780 through CVE-2026-9787, plus CVE-2026-7569 and CVE-2026-7570 | CVSS 3.1: 8.8 (HIGH) for all 8 CVEs | Vendor: Quest | Product: NetVault Backup
What Is the Vulnerability
Quest NetVault Backup contains 8 vulnerabilities that can be chained together to achieve unauthenticated remote code execution on the backup server. The attack chain combines SQL injection vulnerabilities across multiple NetVault components with cross-site scripting (XSS)-based authentication bypass:
SQL Injection (Remote Code Execution):
- CVE-2026-9786 / CVE-2026-7570 — NVBUDashboard SQL injection enabling remote code execution
- CVE-2026-9785 — NVBULibrarySlot SQL injection
- CVE-2026-9784 — NVBULibraryPort SQL injection
- CVE-2026-9783 — NVBURemovableMedia SQL injection
- CVE-2026-9782 — NVBUDeviceDrive SQL injection
Command Injection:
- CVE-2026-9787 — NVBULogDaemon OS command injection enabling remote code execution
Authentication Bypass via XSS:
- CVE-2026-9780 — addclient3 cross-site scripting authentication bypass
- CVE-2026-7569 — viewclient cross-site scripting authentication bypass
Together, an attacker can bypass authentication via XSS (CVE-2026-9780 or CVE-2026-7569), then exploit any of the SQL injection vectors (CVE-2026-9782 through CVE-2026-9786) or the command injection (CVE-2026-9787) to achieve remote code execution on the backup server. NetVault is an enterprise backup and recovery platform — compromise exposes backup data across the entire organisation, including database dumps, file server backups, and application data.
Versions Affected
- Quest NetVault Backup — affected versions prior to the patched release
- All 8 CVEs affect on-premises NetVault Backup deployments with network-accessible web interfaces
Exploited?
No known active exploitation at this time. However, the combination of authentication bypass and multiple SQL injection/command injection vectors makes this an attractive target — enterprise backup platforms are high-value targets for ransomware operators seeking to destroy or encrypt backups before deploying ransomware. Organisations should patch proactively.
Fix
Quest has released patches for all 8 vulnerabilities. Apply the latest NetVault Backup security updates immediately.
- Primary fix: Apply Quest NetVault Backup security updates per vendor advisory
- Workaround: Restrict network access to NetVault Backup web interface to trusted administrative networks only
Recommendations
- Patch immediately. 8 vulnerabilities chaining to RCE on a backup platform is a serious risk.
- Network segmentation. Backup servers should never be directly accessible from untrusted networks. Restrict NetVault web interface access to dedicated management networks.
- Audit backup integrity. Review backup catalogues and job histories for unauthorised modifications or deletions.
- Immutable backups. Ensure backup storage targets support immutability to protect against ransomware operators who may target backup infrastructure.
- Monitor for exploitation. Watch NetVault access logs for unusual SQL queries, unexpected administrative actions, or authentication anomalies.
References
Part of the Vulnerability Intelligence series on threat-modeling.com. 8 CVEs grouped — SQL injection and XSS chain to RCE. See the June 26, 2026 Vulnerability Intelligence Report for broader context.
