ELEVATED 2 min read 25 Jun 2026

Quest NetVault Backup RCE batch targets backup infrastructure

Today's intelligence is consolidated into eighteen priority findings plus one update to an ongoing Cisco SD-WAN story. The main shift is from yesterday's KEV patch queue to privileged control paths: browser extensions, identity services, backup platforms, NAS administration, CI/CD workflows, and EU advisory routing. 11 further items tracked below.

Key findings
01
Quest NetVault Backup RCE batch targets backup infrastructure
HIGH
CVSS 8.8 high · CWE-89 SQL Injection. Quest NetVault Backup has a four-CVE remote code execution batch: CVE-2026-9784, CVE-2026-9785, CVE-2026-9786, and CVE-2026-9787. Backup infrastructure is often trusted deeply and monitored lightly.
CVE-2026-9784
02
ATEN Unizon management-plane RCEs need isolation checks
HIGH
CVSS 7.2 high · CWE-22 Path Traversal. ATEN Unizon has three management-plane RCE advisories in today's material: CVE-2026-9777, CVE-2026-9778, and CVE-2026-9779. Treat this as an exposure question first. Administrative interfaces should not be broadly reachable while owners confirm vendor-fixed versions.
CVE-2026-9777
03
Unraid Web Server command injection reaches NAS administration
HIGH
CVSS 8.8 high · CWE-78 OS Command Injection. Unraid Web Server CVE-2026-9772 and CVE-2026-9773 are authenticated command injection RCEs. Authentication lowers the bar compared with unauthenticated exposure, but it is not a reason to leave NAS administration broadly reachable. Restrict administrative access and confirm fixed builds.
CVE-2026-9772
04
OpenAM pre-authentication flaws hit identity services
CRITICAL
CVSS 9.2 critical · CWE-502 Deserialization of Untrusted Data. OpenAM CVE-2026-45051 and CVE-2026-45052 affect identity-plane functions before authentication. Route this to identity-platform owners, with priority on deployments exposing WebAuthn or Liberty Discovery services.
CVE-2026-45051
05
OliveTin command execution flaws need action-surface review
HIGH
CVSS 7.5 high · CWE-362 Race Condition · EPSS 27th percentile. OliveTin CVE-2026-48708 and CVE-2026-53541 affect command-template and argument-handling paths. Inventory OliveTin use, restrict exposed action execution, and validate patched pseudo-versions for the affected handling paths.
CVE-2026-48708
06
Arista EOS CVE-2026-11704 enters EU routing
LOW
[Low] BSI lists WID-SEC-2026-2055 for Arista EOS, anchored by CVE-2026-11704 and related aliases in the collected brief. Network owners should check EOS exposure and patch status, especially on management and routing infrastructure.
CVE-2026-11704
07
Google Cloud Service Mesh and Envoy CVE-2026-47204 need platform mapping
LOW
[Low] BSI's WID-SEC-2026-2048 item covers Google Cloud Service Mesh and Envoy Proxy, with CVE-2026-47204 in the collected identifiers. Platform owners should map service-mesh deployments and validate vendor-fixed versions.
CVE-2026-47204
08
IBM WebSphere and Liberty CVE batch reaches app-server owners
LOW
[Low] WID-SEC-2026-2050 covers IBM WebSphere and Liberty, including CVE-2026-11383, CVE-2026-11536, CVE-2026-11541, CVE-2026-11594, and CVE-2026-11707. Prioritise internet-facing management or application tiers.
CVE-2026-11383
09
IBM DB2 CVE batch enters database-owner assignment
LOW
[Low] WID-SEC-2026-2057 covers IBM DB2, including CVE-2025-36372, CVE-2026-10109, and CVE-2026-11906. Map DB2 ownership and check whether affected database servers are reachable from application or administrative networks.
CVE-2025-36372
10
Red Hat Ansible Automation Platform EDA CVE-2026-11807 needs automation-owner review
CRITICAL
CVSS 9.6 critical · CWE-862 Missing Authorization · EPSS 28th percentile. WID-SEC-2026-2043 covers Red Hat Ansible Automation Platform Event-Driven Ansible CVE-2026-11807. Automation-platform owners should validate exposure, role boundaries, and fixed packages.
CVE-2026-11807

Quest NetVault Backup RCE batch targets backup infrastructure

Quest NetVault Backup RCE batch targets backup infrastructure

Quest NetVault Backup has a four-CVE remote code execution batch: CVE-2026-9784, CVE-2026-9785, CVE-2026-9786, and CVE-2026-9787. Backup infrastructure is often trusted deeply and monitored lightly. Map reachable NetVault services, prioritise instances exposed to less-trusted segments, and validate Quest fixed-build guidance before rollout.

Sources: [ZDI-26-373](http://www.zerodayinitiative.com/advisories/ZDI-26-373/); [ZDI-26-374](http://www.zerodayinitiative.com/advisories/ZDI-26-374/); [ZDI-26-375](http://www.zerodayinitiative.com/advisories/ZDI-26-375/); [ZDI-26-376](http://www.zerodayinitiative.com/advisories/ZDI-26-376/)

ATEN Unizon management-plane RCEs need isolation checks

ATEN Unizon has three management-plane RCE advisories in today's material: CVE-2026-9777, CVE-2026-9778, and CVE-2026-9779. Treat this as an exposure question first. Administrative interfaces should not be broadly reachable while owners confirm vendor-fixed versions.

Sources: [ZDI-26-381](http://www.zerodayinitiative.com/advisories/ZDI-26-381/); [ZDI-26-382](http://www.zerodayinitiative.com/advisories/ZDI-26-382/); [ZDI-26-383](http://www.zerodayinitiative.com/advisories/ZDI-26-383/)

Unraid Web Server command injection reaches NAS administration

Unraid Web Server CVE-2026-9772 and CVE-2026-9773 are authenticated command injection RCEs. Authentication lowers the bar compared with unauthenticated exposure, but it is not a reason to leave NAS administration broadly reachable. Restrict administrative access and confirm fixed builds.

Sources: [ZDI-26-385](http://www.zerodayinitiative.com/advisories/ZDI-26-385/); [ZDI-26-386](http://www.zerodayinitiative.com/advisories/ZDI-26-386/)

OpenAM pre-authentication flaws hit identity services

OpenAM CVE-2026-45051 and CVE-2026-45052 affect identity-plane functions before authentication. Route this to identity-platform owners, with priority on deployments exposing WebAuthn or Liberty Discovery services. The collected advisory material names OpenAM Community Edition up to 16.0.6 and patched version 16.1.1.

Sources: [GitHub Advisory GHSA-6c99-87fr-6q7r](https://github.com/advisories/GHSA-6c99-87fr-6q7r); [GitHub Advisory GHSA-p462-xxwx-pqf4](https://github.com/advisories/GHSA-p462-xxwx-pqf4)

OliveTin command execution flaws need action-surface review

OliveTin CVE-2026-48708 and CVE-2026-53541 affect command-template and argument-handling paths. Inventory OliveTin use, restrict exposed action execution, and validate patched pseudo-versions for the affected handling paths.

Sources: [GitHub Advisory GHSA-7fq5-7wr8-rjwj](https://github.com/advisories/GHSA-7fq5-7wr8-rjwj); [GitHub Advisory GHSA-prj9-97mp-mwh2](https://github.com/advisories/GHSA-prj9-97mp-mwh2)

Arista EOS CVE-2026-11704 enters EU routing

BSI lists WID-SEC-2026-2055 for Arista EOS, anchored by CVE-2026-11704 and related aliases in the collected brief. Network owners should check EOS exposure and patch status, especially on management and routing infrastructure.

Sources: [BSI CERT-Bund WID-SEC-2026-2055](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2055)

Google Cloud Service Mesh and Envoy CVE-2026-47204 need platform mapping

BSI's WID-SEC-2026-2048 item covers Google Cloud Service Mesh and Envoy Proxy, with CVE-2026-47204 in the collected identifiers. Platform owners should map service-mesh deployments and validate vendor-fixed versions.

Sources: [BSI CERT-Bund WID-SEC-2026-2048](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2048)

IBM WebSphere and Liberty CVE batch reaches app-server owners

WID-SEC-2026-2050 covers IBM WebSphere and Liberty, including CVE-2026-11383, CVE-2026-11536, CVE-2026-11541, CVE-2026-11594, and CVE-2026-11707. Prioritise internet-facing management or application tiers.

Sources: [BSI CERT-Bund WID-SEC-2026-2050](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2050)

IBM DB2 CVE batch enters database-owner assignment

WID-SEC-2026-2057 covers IBM DB2, including CVE-2025-36372, CVE-2026-10109, and CVE-2026-11906. Map DB2 ownership and check whether affected database servers are reachable from application or administrative networks.

Sources: [BSI CERT-Bund WID-SEC-2026-2057](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2057)

Red Hat Ansible Automation Platform EDA CVE-2026-11807 needs automation-owner review

WID-SEC-2026-2043 covers Red Hat Ansible Automation Platform Event-Driven Ansible CVE-2026-11807. Automation-platform owners should validate exposure, role boundaries, and fixed packages.

Sources: [BSI CERT-Bund WID-SEC-2026-2043](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2043)

  • Also tracked
  • cURL and libcurl 2026-06-24 CVE batch affects dependency owners · CVE-2026-10536
  • Gogs CVE-2026-52813 can turn path traversal into Git-hook RCE · CVE-2026-52813
  • phpMyFAQ CVE-2026-49205 leaves API write endpoints under-protected · CVE-2026-49205
  • AVideo CVE-2026-55173 leaves command execution path after sanitizer fix · CVE-2026-55173
  • SonicWall SonicOS access-control flaw stays exploitable when post-patch configuration is not remediated · CVE-2024-40766 · Critical
  • Edgecution malicious Microsoft Edge extension abuses native messaging
  • Operation Endgame disrupts StealC, Amadey, and SocGholish services
  • Cordyceps and actions/checkout widen CI/CD trust-boundary risk
  • Tenable Identity Exposure before v3.93.5 gets RCE and SQLi advisory
  • Cisco SD-WAN zero-day exploitation reported at a communications provider
  • ShapedPlugin Pro WordPress plugins backdoored through a compromised update channel
atenci-cdciscosdwancve-2025-36372cve-2026-11383cve-2026-11704cve-2026-11807cve-2026-45051cve-2026-47204cve-2026-48708

Act on this brief

Map detection coverage gaps for the techniques above, or generate Sigma rules from the named CVEs.

Try DCV Try CloudSigma ← Back to feed