Critical RCE via SQL Injection (CVE‑2026‑9781) in Quest NetVault Backup
What It Is — Quest NetVault Backup’s NVBURASDevice component contains an SQL‑injection flaw that lets remote attackers execute arbitrary code. The vulnerability stems from insufficient validation of JSON‑RPC input that is concatenated into SQL statements.
Exploitability — CVSS 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). An exploit requires valid credentials, but the authentication check can be bypassed, making remote code execution feasible in the context of the NETWORK SERVICE account. No public PoC has been released, but the vendor has confirmed the issue and issued a patch.
Affected Products — Quest NetVault Backup (all versions prior to the 14.0.2 update).
Why It Matters for Compliance & Audit Readiness
- SOC 2 control CC6.1 (System Operations) requires that software components be protected against known vulnerabilities; a missing patch represents a control gap.
- Continuous evidence of remediation (patch deployment, configuration validation) is essential for audit trails and for demonstrating due diligence to enterprise customers.
Recommended Actions
- Apply Quest’s 14.0.2 update immediately and verify the patch via checksum.
- Map the vulnerability to SOC 2 CC6.1 and capture patch‑deployment logs as immutable evidence.
- Conduct a focused code‑review of any custom JSON‑RPC handling to ensure proper input sanitization.
- Update your vulnerability‑management workflow to flag any future “authentication‑bypass” findings for rapid escalation.
Source: Zero Day Initiative advisory