CVE-2026-7570 in NetVault Backup
Summary
by MITRE • 06/25/2026
Quest NetVault Backup NVBUDashboard SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Quest NetVault Backup. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.
The specific flaw exists within the processing of NVBUDashboard JSON-RPC messages. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of NETWORK SERVICE. Was ZDI-CAN-27809.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/25/2026
This vulnerability represents a critical security flaw in Quest NetVault Backup software that enables remote code execution through SQL injection techniques. The vulnerability resides within the NVBUDashboard component's JSON-RPC message processing functionality, where user-supplied input is inadequately validated before being incorporated into database queries. The issue stems from insufficient sanitization of input parameters that are directly used to construct SQL commands, creating an environment where malicious payloads can be injected and executed with elevated privileges.
The technical exploitation of this vulnerability occurs through the improper handling of JSON-RPC messages within the NVBUDashboard service. When processing incoming requests, the system fails to implement proper input validation or parameterized query construction mechanisms that would normally prevent malicious SQL code from being executed. This lack of input sanitization creates a direct pathway for attackers to inject arbitrary SQL commands that can be interpreted and executed by the underlying database engine. The vulnerability specifically affects the way user-supplied strings are processed within SQL query construction, making it susceptible to classic SQL injection attacks that have been documented in CWE-89.
From an operational perspective, successful exploitation of this vulnerability allows remote attackers to execute arbitrary code with the privileges of the NETWORK SERVICE account, which represents a significant escalation from typical user-level access. The existing authentication mechanism can be bypassed, meaning that even without legitimate credentials an attacker can potentially gain system access through this vector. This creates a particularly dangerous scenario where network-based attacks can be launched against systems without requiring valid authentication tokens or credentials. The impact extends beyond simple code execution to potentially allow full system compromise and data exfiltration.
The vulnerability's classification aligns with ATT&CK technique T1213.002 for Data from Information Repositories, as it enables unauthorized access to database systems through injection techniques. Organizations using Quest NetVault Backup are particularly vulnerable since the attack surface includes network-accessible services that process remote JSON-RPC requests. The security implications include potential data breaches, system compromise, and unauthorized access to backup systems that often contain sensitive organizational data. This vulnerability represents a critical weakness in database input validation and access control mechanisms that can be exploited through network-based attacks without requiring physical access to the systems.
Mitigation strategies should focus on implementing proper input validation and parameterized query construction throughout the application codebase. Organizations should ensure that all user-supplied inputs are properly sanitized before being incorporated into database operations, following established security practices such as those outlined in OWASP Top 10 and NIST guidelines. System administrators should also implement network segmentation to limit access to backup systems, deploy intrusion detection systems to monitor for suspicious JSON-RPC traffic patterns, and ensure that all systems receive timely security updates from vendors. The vulnerability demonstrates the critical importance of proper input validation in preventing SQL injection attacks and maintaining system integrity against remote exploitation attempts.