Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-facing JSON-RPC service with low complexity; authentication is required but bypassable so PR:L is retained, and SQLi-to-RCE as a service account yields full C/I/A impact.
Primary rating from Vendor (trendmicro).
CVSS VectorVendor: trendmicro
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Quest NetVault Backup NVBURemovableMedia SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Quest NetVault Backup. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.
The specific flaw exists within the processing of NVBURemovableMedia JSON-RPC messages. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of NETWORK SERVICE. Was ZDI-CAN-27632.
AnalysisAI
SQL injection leading to remote code execution affects Quest NetVault Backup, where the NVBURemovableMedia component fails to validate a user-supplied string before constructing SQL queries. Although authentication is nominally required, ZDI notes the existing authentication mechanism can be bypassed, effectively lowering the barrier to network-based attackers who can then execute code in the context of the NETWORK SERVICE account. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires network reachability to the Quest NetVault Backup management service that processes NVBURemovableMedia JSON-RPC messages. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.0 base score is 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H): network-reachable, low attack complexity, only low privileges required, no user interaction, with high confidentiality, integrity, and availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with network access to the NetVault management service abuses the bypassable authentication mechanism to reach the NVBURemovableMedia JSON-RPC endpoint, then submits a crafted message containing a malicious string that is concatenated into a backend SQL query. The injected SQL is leveraged to achieve code execution as NETWORK SERVICE, giving the attacker control over the backup server and, by extension, the backup data it manages. … |
| Remediation | Upgrade to the fixed Quest NetVault Backup release referenced in the vendor advisory - the Quest release notes for NetVault 14.0.2 (https://support.quest.com/technical-documents/netvault/14.0.2/release-notes#TOPIC-2338529) are cited as the remediation source, so apply that 14.0.2 (or later) build per Quest's guidance and cross-check the ZDI advisory at https://www.zerodayinitiative.com/advisories/ZDI-26-372/. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Restrict network access to all Quest NetVault Backup servers to authorized networks only, and review access/backup logs for exploitation attempts. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Netvault Backup
View allDell Netvault Backup before 10.0.5 allows remote attackers to cause a denial of service (crash) via a crafted request. R
Integer overflow in the libnv6 module in Dell NetVault Backup before 10.0.5 allows remote attackers to execute arbitrary
This vulnerability allows remote attackers to bypass authentication on vulnerable installations of Quest NetVault Backup
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backu
Remote code execution in Quest NetVault Backup allows authenticated remote attackers - who can bypass the product's exis
Remote code execution in Quest NetVault Backup arises through SQL injection in the NVBUDashboard component's JSON-RPC me
Remote code execution in Quest NetVault Backup arises from a SQL injection flaw in the handling of NVBULibrarySlot JSON-
SQL injection in Quest NetVault Backup's NVBULibraryPort JSON-RPC handler allows remote attackers to execute arbitrary c
Remote code execution in Quest NetVault Backup arises from SQL injection in the NVBUDeviceDrive JSON-RPC message handler
Remote code execution in Quest NetVault Backup arises from SQL injection in the NVBURASDevice JSON-RPC message handler,
SQL injection leading to remote code execution in Quest NetVault Backup allows attackers to run arbitrary code as the NE
Authentication bypass via cross-site scripting in Quest NetVault Backup's addclient3 webpage allows remote attackers to
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39144
GHSA-2gj9-425g-wxfr