Critical RCE via SQL Injection (CVE‑2026‑9784) in Quest NetVault Backup
What It Is — Quest NetVault Backup’s NVBULibraryPort service suffers a SQL‑injection flaw that lets an attacker craft a malicious JSON‑RPC message, bypass authentication, and execute arbitrary code as the NETWORK SERVICE account.
Exploitability — The vulnerability is publicly disclosed, has a CVSS 8.8 (High) score, and an exploit exists in the wild; Quest has released a patch.
Affected Products — Quest NetVault Backup (all versions prior to the June 2026 security update).
Why It Matters for Compliance & Audit Readiness
- Control Mapping – The flaw maps directly to SOC 2 CC6.1 (Logical Access Controls) and CC6.2 (System Operations), requiring documented remediation to satisfy auditors.
- Continuous Evidence – Demonstrating timely patch deployment and configuration hardening provides the audit‑ready evidence SOC 2 auditors now expect from enterprise buyers.
Recommended Actions
- Deploy Quest’s June 2026 security update to all NetVault Backup instances.
- Restrict NVBULibraryPort access to trusted networks or internal segments only.
- Update your SOC 2 control inventory to reflect the remediation and capture patch‑deployment logs as continuous compliance evidence.