10 Flaws in Quest NetVault Backup Allow Auth Bypass and Server Takeover: CVE-2026-9787 and More, Update to 14.0.2
Quest NetVault Backup, enterprise backup software, has 10 CVSS-8.8 vulnerabilities disclosed at once β several allow bypassing authentication and taking over the server to run commands at the highest privilege. Published by Trend Micro's ZDI on June 24, 2026. Fixed in 14.0.2. Update internet-exposed management consoles first.
Makoto Horikawa
Backend Engineer / AWS / Django
Quest NetVault Backup, enterprise backup software, has 10 CVSS-8.8 vulnerabilities disclosed at once β several allow bypassing authentication and taking over the server to run commands at the highest privilege. Published by Trend Micro's ZDI on June 24, 2026. Fixed in 14.0.2. Update internet-exposed management consoles first.
Quest's enterprise backup software, NetVault Backup, has been hit with 10 serious vulnerabilities at once. Every one is rated 8.8 out of 10 (High). Several let an attacker slip past the login, and ultimately take over the server and run any command they want. The flaws were found and reported by Trend Micro's Zero Day Initiative (ZDI), one of the world's largest vulnerability research programs, and all 10 were published on June 24, 2026.
The fix is to update to NetVault Backup 14.0.2. Both ZDI and the U.S. National Vulnerability Database (NVD) point to Quest's 14.0.2 release notes as the remediation. A backup product is the "last line of defense" with reach into every piece of company data β which makes it exactly what attackers most want to seize. Servers that expose the management console to the internet should be updated first.
What Quest NetVault Backup is, and why it gets targeted
Quest NetVault Backup is enterprise backup and disaster-recovery software from Quest Software (formerly part of Dell). It protects and restores data across physical servers, virtual machines (VMware, Hyper-V, Nutanix), cloud, and applications such as Microsoft 365 and databases (SQL Server, Oracle). It is used by mid-sized to large organizations and scales to tens of petabytes (now offered as "NetVault Plus").
Backup products are high-value targets for a reason. Backup concentrates almost all of an organization's data in one place, so whoever controls the management server can both steal the contents and destroy the ability to recover. In modern ransomware attacks it is now standard to wipe the backups first, then encrypt the production systems and demand payment. As seen in ransomware incidents hitting manufacturers, how backups are handled often decides the outcome. These 10 flaws are holes in that last line of defense itself.
Who targets this, and what they take
What makes these flaws dangerous is that the entry point is the management console you use every day. Here is who would use it as a foothold.
The likely attackers are intruders already inside the corporate network, and ransomware crews scanning for servers that expose the management console to the internet. What they want is the company's own data piled up in backups β customer records, financials, designs β and the "no longer recoverable" state they can hold hostage. Two of these flaws let an attacker bypass the login that should be required, so even someone without a valid ID or password can gain a foothold simply by getting an administrator to click a crafted link.
The remaining eight, once the management console is reachable, let an attacker smuggle malicious commands into input fields and run programs of their choosing on the server. ZDI assesses that these too can bypass the intended authentication. In the worst case the server's highest privilege (SYSTEM) is seized, and the backup server becomes the attacker's tool. From there, the damage can spread to connected production systems and other servers.
The "8.8" score is only a gauge of technical severity. What an organization actually loses is the data it was entrusted with, and the very "recovery insurance" it expected to fall back on. A mechanism meant to protect backups becoming the way in β that is the heart of these 10 flaws.
The 10 flaws at a glance
The 10 split into three groups by entry point and technique. All are CVSS 8.8 (High).
| CVE | Type | Component | Login | Privilege |
|---|---|---|---|---|
| CVE-2026-9787 | Command injection (most severe) | NVBULogDaemon | Bypassable | SYSTEM |
| CVE-2026-7569 | XSS (auth bypass) | viewclient | Not required | SYSTEM (chained) |
| CVE-2026-9780 | XSS (auth bypass) | addclient3 | Not required | SYSTEM (chained) |
| CVE-2026-7570 | SQLi β RCE | NVBUDashboard | Bypassable | NETWORK SERVICE |
| CVE-2026-9781 | SQLi β RCE | NVBURASDevice | Bypassable | NETWORK SERVICE |
| CVE-2026-9782 | SQLi β RCE | NVBUDeviceDrive | Bypassable | NETWORK SERVICE |
| CVE-2026-9783 | SQLi β RCE | NVBURemovableMedia | Bypassable | NETWORK SERVICE |
| CVE-2026-9784 | SQLi β RCE | NVBULibraryPort | Bypassable | NETWORK SERVICE |
| CVE-2026-9785 | SQLi β RCE | NVBULibrarySlot | Bypassable | NETWORK SERVICE |
| CVE-2026-9786 | SQLi β RCE | NVBUDashboard | Bypassable | NETWORK SERVICE |
"XSS" (cross-site scripting) means slipping a malicious script into a web page; the two XSS flaws here can bypass the intended login, so they serve as the starting point of an attack. "SQL injection" means mixing rogue commands into the statements used to query data, which here escalates to running code on the server (RCE, remote code execution). "Command injection" is the most direct route β making the server run commands outright. The eight injection flaws all stem from how the management traffic (a mechanism called JSON-RPC) is processed.
The individual flaws
CVE-2026-9787: command injection to SYSTEM (most severe)
The "NVBULogDaemon" log-handling component runs a user-supplied string as a system command without proper validation (CWE-78, OS command injection). A successful attack runs arbitrary commands as SYSTEM, the server's highest privilege. ZDI notes authentication is required but can be bypassed, making this the most impactful of the 10 (ZDI-26-376).
CVE-2026-7569 / CVE-2026-9780: login-bypassing XSS
In the "viewclient" (CVE-2026-7569) and "addclient3" (CVE-2026-9780) management pages, insufficient input validation allows a malicious script to be injected (CWE-79). Both work without a login and serve as the point that breaks past the intended authentication. They require a user to open a crafted page, but chained with the other flaws they can lead all the way to code execution as SYSTEM (ZDI-26-369).
CVE-2026-7570 / 9781 / 9782 / 9783 / 9784 / 9785 / 9786: SQL injection to code execution (7)
The remaining seven flaws sit in several components that handle management traffic, each folding an unvalidated string into a database statement (CWE-89, SQL injection). They span the dashboard (NVBUDashboard: CVE-2026-7570 and 9786) and the device/media management parts (NVBURASDevice, NVBUDeviceDrive, NVBURemovableMedia, NVBULibraryPort, NVBULibrarySlot). All lead to code execution on the server (as NETWORK SERVICE), with authentication required but bypassable β the same class of flaw recurring across multiple input points.
Are you affected?
Affected organizations are those running Quest NetVault Backup (the 14.0.x line). Public ZDI/NVD data lists the tested versions as 14.0.1.7 for the two XSS flaws and 14.0.0.19 for the eight injection flaws (the numbers differ because each report was validated on a single build; this does not mean earlier versions are safe). Use the table below to gauge your risk.
| Situation | Risk | What to do |
|---|---|---|
| Management console exposed to internet | Critical | Update to 14.0.2 now + stop exposing it |
| Internal network only | High (abused for lateral movement) | Update to 14.0.2 promptly |
| Already on 14.0.2 or later | Low | Confirm the update is applied |
| Not using NetVault | None | No action needed |
None of the 10 are currently listed in CISA's Known Exploited Vulnerabilities catalog (KEV), and no real-world exploitation has been reported. Even so, backup products β like file-transfer and VPN gear β are a category that has repeatedly ended up in KEV. Now that details are public, act before attack attempts ramp up.
What to do
The core fix is to update NetVault Backup to 14.0.2 or later. Quest's official 14.0.2 release notes describe it as including "Web UI security fixes," and all 10 ZDI/NVD advisories reference these same release notes as the remediation. On existing deployments, check your running version first and plan the move to 14.0.2.
If you cannot update immediately, you can reduce risk by taking the management console (Web UI) off the internet, restricting which devices and networks can reach it, and reminding administrators not to open links from unknown sources. Because the two XSS flaws start with "getting an admin to click a link," that reminder genuinely helps. These are stopgaps, though β updating is the real fix. Keep in mind that backup servers are a top-priority target for attackers, so they deserve priority over other infrastructure.
Confirmed facts and open questions
β Confirmed
- β10 flaws in Quest NetVault Backup (all CVSS 8.8), published by ZDI on June 24, 2026 (ZDI Advisories)
- β2 XSS, 7 SQL injection, 1 command injection; worst case is arbitrary code execution as SYSTEM
- βFixed in 14.0.2; both ZDI and NVD reference Quest's 14.0.2 release notes
- βNot in CISA KEV; no real-world exploitation reported so far
? Open questions
- ?Quest's 14.0.2 release notes mark the item "CVE: Pending," so the per-CVE mapping is not yet published by Quest: the fix version 14.0.2 itself is consistently indicated by ZDI and NVD
- ?The full range of affected versions: public data lists only the tested builds (14.0.1.7 / 14.0.0.19)
- ?Researcher identity: ZDI lists only an anonymized identifier
FAQ
Q. Will damage happen right away?
A. No real-world exploitation has been reported so far, and none are in CISA KEV. But now that the details are public, attack attempts may increase. If your management console is exposed externally, update urgently.
Q. If a login is required, are we safe as long as it's internal-only?
A. Don't count on it. Two of the 10 can bypass the login, and ZDI rates the other eight as bypassable too. An intruder already inside the network could also abuse them as a stepping stone to other servers.
Q. Which version should we update to?
A. 14.0.2 or later. Both ZDI and NVD point to Quest's 14.0.2 release notes as the fix. Note that Quest's release notes still mark the relevant CVEs as "pending," but every source agrees the fixed version is 14.0.2.
Bottom line
The 10 flaws in Quest NetVault Backup are all rated 8.8 and serious β from bypassing authentication to full server takeover (code execution at the highest SYSTEM privilege). Backup is the aggregation point for company data and the "last line of defense" that ransomware crews hit first. Update to the fixed 14.0.2 before that defensive mechanism becomes the way in.
If you can't update immediately, take the management console off the internet and narrow who can reach it to reduce risk. No exploitation has been reported yet, but with the details public, the faster you act the safer you are. This is also a good moment to inventory the versions and support status of the software you run.
References
- βΈZero Day Initiative - Published Advisories (ZDI-26-368 to 377)
- βΈZDI-26-376 - NVBULogDaemon command injection (CVE-2026-9787)
- βΈZDI-26-369 - addclient3 XSS (CVE-2026-9780)
- βΈNVD - CVE-2026-9787 Detail
- βΈNVD - CVE-2026-7569 Detail
- βΈQuest - NetVault Backup 14.0.2 Release Notes
- βΈQuest - NetVault Plus product page