On June 24, 2026, Trend Micro published advisory ZDI-26-376, detailing a remote code execution vulnerability in Quest NetVault Backup. The flaw, tracked as CVE-2026-9787 with a CVSS score of 8.8, resides in the NVBULogDaemon component and was reported to the vendor on September 24, 2025. The service processes JSON-RPC messages without validating user-supplied strings before passing them to system calls, enabling command injection that executes in the SYSTEM context.
- The CVE-2026-9787 vulnerability in Quest NetVault Backup's NVBULogDaemon component carries a CVSS score of 8.8.
- The attack mechanism is command injection via JSON-RPC messages, caused by a lack of user-string validation before system call execution.
- Authentication is bypassable: although required, the existing mechanism does not prevent exploitation.
- Quest has released an update, but the official release notes do not mention CVE-2026-9787, ZDI-26-376, or the NVBULogDaemon component.
The Attack Path: From JSON-RPC to SYSTEM
The NVBULogDaemon service exposes a JSON-RPC interface that receives messages for processing. According to advisory ZDI-26-376, the component fails to properly validate a user-supplied string before using it to execute a system call. This lack of sanitization opens the door to command injection: an attacker embeds arbitrary commands within the JSON-RPC payload, which the operating system executes as if they were legitimate instructions.
The result is code execution in the context of SYSTEM, the highest-privilege account on Windows. The impact is amplified by the nature of the product: NetVault Backup manages enterprise backups across heterogeneous environments, with access to storage, databases, and disaster recovery infrastructure. A compromise at this level exposes not only data in transit but potentially the entire backup ecosystem on which organizations rely for operational continuity.
"This vulnerability allows remote attackers to execute arbitrary code on affected installations of Quest NetVault Backup. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed." — ZDI Advisory ZDI-26-376
The Authentication Bypass: A Second Layer of Exposure
A critical element emerges from the vulnerability's structure itself. The advisory specifies that authentication is required to exploit the flaw, but that "the existing authentication mechanism can be bypassed." This detail turns a potential limitation into an aggravating factor: there is no need to find valid credentials or bypass a complex MFA system. Authentication, while present in the access flow, does not constitute an effective barrier.
The dossier does not specify the bypass technique used. No details emerge on the authentication protocol involved, nor on any related vulnerabilities in the same component or adjacent modules. This gap prevents mapping a complete attack path and represents a significant limitation for risk assessment on specific infrastructures.
Quest's Patch and the Black Hole in Release Notes
Quest has released an update to address the vulnerability, as documented in advisory ZDI-26-376. However, verification of the official product release notes — version 14.0.2, a technical document published on support.quest.com — reveals no mention of CVE-2026-9787, ZDI-26-376, or the NVBULogDaemon component. The document lists "generic security fixes" without technical details corresponding to the specific flaw.
This discrepancy raises two operational concerns. First, system administrators who rely solely on official release notes for patch planning may fail to identify the urgency of updating. Second, the lack of specific documentation makes it impossible to verify after the fact whether a system is actually patched, short of active vulnerability testing or direct contact with Quest support.
Why This Matters
Advisory ZDI-26-376 does not specify the exact versions of NetVault Backup affected by the vulnerability. The dossier also does not document the presence of public exploits or PoC demonstrations, nor technical details on the full attack vector — network, local, or adjacent — beyond the generic remote access capability.
The brief does not list specific impacts on availability and integrity beyond the confidentiality implied by arbitrary code execution. No infrastructure overlap emerges linking this vulnerability to other CVEs in the same period, although the broader context of audits on NetVault Backup suggests a consolidated risk profile for the product.
The coordinated release of the advisory occurred on June 24, 2026, nine months after the initial report. This interval, consistent with coordinated disclosure practices, leaves a significant window during which the vulnerability was known to the vendor but not public: the dossier does not document whether interim fixes or private alerts were issued to enterprise customers.
Context: A Chain of Flaws in NetVault Backup
ZDI-26-376 sits within a broader landscape of vulnerabilities in the same product. The Zero Day Initiative's published list documents at least nine CVEs with a CVSS score of 8.8 in the period considered, all related to Quest NetVault Backup and classified to include SQL injection, cross-site scripting, and authentication bypass. The NVBULogDaemon component emerges as a privileged entry point, but it is part of a systemic pattern.
This concentration of severe flaws in a narrow timeframe suggests that security auditing of the product has not adequately covered the network-exposed attack surfaces, particularly the management and logging services that interact directly with the operating system. For organizations running NetVault Backup in critical environments, risk assessment cannot be limited to a single CVE but must extend to the product's overall security posture.
Questions and Answers
- What is the documented attack path for CVE-2026-9787?
- The attack exploits JSON-RPC messages sent to the NVBULogDaemon service, injecting arbitrary commands into an unvalidated string passed to a system call. Authentication is bypassable and execution occurs as SYSTEM.
- Why are Quest's official release notes relevant in this case?
- Because they do not mention CVE-2026-9787 or the NVBULogDaemon component, making it difficult for administrators to verify the presence of the fix through the vendor's official channels.
- Do public exploits or active attack attestations exist?
- The dossier does not document the presence of public exploits, PoCs, or active attacks leveraging this specific vulnerability.
The enterprise backup structure represents a strategic target: compromising it means gaining access to historical data, the ability to destroy recovery points, and leverage for extortion. CVE-2026-9787 is not a theoretical vulnerability on a marginal service, but an open door to one of the most sensitive systems in IT infrastructure. The availability of the patch, albeit not documented with the necessary precision, demands active verification by administrators managing network-exposed NetVault Backup installations.
Information is based on the cited advisory and current as of publication.
Sources
Information is based on the cited source and current as of publication.