HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

Critical RCE in Quest NetVault Backup (CVE‑2026‑9787) Enables System‑Level Code Execution

Quest NetVault Backup contains a command‑injection flaw (CVE‑2026‑9787) that lets attackers bypass authentication and run code as SYSTEM. The vulnerability scores 8.8 on CVSS and affects all pre‑14.0.2 versions. For SOC 2‑ready organizations, the flaw underscores the need for continuous vulnerability monitoring and auditable patch evidence.

LiveThreat™ Intelligence · 📅 June 25, 2026· 📰 zerodayinitiative.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
1 sector(s)
Actions
4 recommended
📰
Source
zerodayinitiative.com

Critical RCE in Quest NetVault Backup (CVE‑2026‑9787) Enables System‑Level Code Execution

What It Is — A command‑injection flaw in the NVBULogDaemon component of Quest NetVault Backup allows remote attackers to execute arbitrary code with SYSTEM privileges. Authentication is required but can be bypassed via crafted JSON‑RPC messages.

Exploitability — Public advisory released 24 Jun 2026; proof‑of‑concept exists; CVSS 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Affected Products — Quest NetVault Backup (all versions prior to the 14.0.2 patch).

Why It Matters for Compliance & Audit Readiness

  • SOC 2 Change Management & Vulnerability Management controls require timely detection, remediation, and auditable evidence of patch deployment.
  • Continuous control monitoring must capture unpatched RCE flaws to provide a defensible audit trail.
  • Enterprise buyers now demand proof of systematic patch‑management processes as part of a SOC 2‑ready posture.

Recommended Actions

  • Map this finding to SOC 2 CC6.1 (Vulnerability Management) and CC7.1 (Change Management) controls.
  • Deploy Quest’s 14.0.2 update immediately; retain patch‑install logs as audit evidence.
  • Enable automated scanning for CVE‑2026‑9787 across all backup servers and feed results into your continuous compliance dashboard.
  • Review authentication mechanisms for JSON‑RPC interfaces and enforce least‑privilege service accounts.

Source: Zero Day Initiative Advisory ZDI‑26‑376

📰 Original Source
http://www.zerodayinitiative.com/advisories/ZDI-26-376/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Misconfigurations are control gaps in disguise.

Verisq AI Trust Operations turns findings like this into mapped controls with continuous evidence, keeping your audit readiness current instead of point-in-time.

Map your controls with Verisq AI Trust Operations →