Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network JSON-RPC reachability and low complexity (AV:N/AC:L); PR:L retained because nominal auth exists though bypassable; full RCE as NETWORK SERVICE gives C:H/I:H/A:H.
Primary rating from Vendor (trendmicro).
CVSS VectorVendor: trendmicro
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Quest NetVault Backup NVBUDeviceDrive SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Quest NetVault Backup. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.
The specific flaw exists within the processing of NVBUDeviceDrive JSON-RPC messages. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of NETWORK SERVICE. Was ZDI-CAN-27633.
AnalysisAI
Remote code execution in Quest NetVault Backup arises from SQL injection in the NVBUDeviceDrive JSON-RPC message handler, where a user-supplied string is concatenated into a SQL query without validation (CWE-89). Although the product requires authentication, the existing authentication mechanism can be bypassed, so remote attackers can reach the flaw and execute arbitrary code in the context of the NETWORK SERVICE account. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must be able to reach the NetVault Backup JSON-RPC interface over the network and deliver a crafted NVBUDeviceDrive message; the vulnerable input is a user-supplied string used to build a SQL query. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are consistent and point to a real priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with network reachability to the NetVault Backup service abuses the authentication bypass to gain access, then sends a crafted NVBUDeviceDrive JSON-RPC message containing a malicious SQL fragment in a user-supplied field. The injected query executes against the backend database and is leveraged to run operating-system commands, giving the attacker code execution as NETWORK SERVICE. … |
| Remediation | Upgrade to the fixed release per the vendor advisory - the referenced Quest NetVault Backup 14.0.2 release notes (https://support.quest.com/technical-documents/netvault/14.0.2/release-notes#TOPIC-2338529) indicate the corrected version, and the ZDI advisory ZDI-26-371 (https://www.zerodayinitiative.com/advisories/ZDI-26-371/) should be reviewed to confirm the exact patched build for your deployment. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Quest NetVault Backup instances, immediately restrict network access to JSON-RPC interfaces (port 1610) to trusted networks only, enable enhanced logging for NVBUDeviceDrive requests, and contact Quest Software for patch timeline. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Netvault Backup
View allDell Netvault Backup before 10.0.5 allows remote attackers to cause a denial of service (crash) via a crafted request. R
Integer overflow in the libnv6 module in Dell NetVault Backup before 10.0.5 allows remote attackers to execute arbitrary
This vulnerability allows remote attackers to bypass authentication on vulnerable installations of Quest NetVault Backup
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backu
Remote code execution in Quest NetVault Backup allows authenticated remote attackers - who can bypass the product's exis
Remote code execution in Quest NetVault Backup arises through SQL injection in the NVBUDashboard component's JSON-RPC me
Remote code execution in Quest NetVault Backup arises from a SQL injection flaw in the handling of NVBULibrarySlot JSON-
SQL injection in Quest NetVault Backup's NVBULibraryPort JSON-RPC handler allows remote attackers to execute arbitrary c
SQL injection leading to remote code execution affects Quest NetVault Backup, where the NVBURemovableMedia component fai
Remote code execution in Quest NetVault Backup arises from SQL injection in the NVBURASDevice JSON-RPC message handler,
SQL injection leading to remote code execution in Quest NetVault Backup allows attackers to run arbitrary code as the NE
Authentication bypass via cross-site scripting in Quest NetVault Backup's addclient3 webpage allows remote attackers to
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39142
GHSA-vm9v-g522-qr6w