CVE-2017-17417

CRITICAL

Quest NetVault Backup 11.3.0.12 - SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-17417. PoCs published by Chris Anastasio.

AI-analyzed exploit summary This exploit leverages a SQL injection vulnerability in Quest NetVault Backup Server's NVBUPhaseStatus Acknowledge method to achieve remote code execution. It uses sqlmap to automate the exploitation process after authenticating with default credentials.

Description

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of NVBUPhaseStatus Acknowledge method requests. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of the underlying database. Was ZDI-CAN-4228.

Exploits (1)

exploitdb WORKING POC
by Chris Anastasio · textwebappsmultiple
https://www.exploit-db.com/exploits/46446

This exploit leverages a SQL injection vulnerability in Quest NetVault Backup Server's NVBUPhaseStatus Acknowledge method to achieve remote code execution. It uses sqlmap to automate the exploitation process after authenticating with default credentials.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Quest NetVault Backup Server < 11.4.5
Auth required
Prerequisites: Network access to the target · Default credentials (admin with blank password)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/46446/
Third Party Advisory, VDB Entry x_refsource_misc
https://zerodayinitiative.com/advisories/ZDI-17-982

Scores

CVSS v3 9.8
EPSS 0.1020
EPSS Percentile 95.1%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (1)
quest/netvault_backup 11.3.0.12
Published Feb 08, 2018
Tracked Since Feb 18, 2026