A critical SQL Injection vulnerability, identified as CVE-2025-45346, has been discovered in the Bacula-web management interface. This flaw allows a remote attacker to execute arbitrary commands on the backend database without authentication. Successful exploitation could lead to a complete compromise of the backup system's data, resulting in data theft, modification, or deletion, severely impacting an organization's business continuity and data security posture.

The vulnerability is a classic SQL Injection (SQLi) flaw within the Bacula-web interface. The application fails to properly sanitize user-supplied input before incorporating it into SQL queries. An unauthenticated remote attacker can exploit this by sending a crafted payload to a vulnerable web parameter, allowing them to execute arbitrary SQL commands on the backend database. This could lead to a complete compromise of the database, including data exfiltration, modification, or destruction.

This vulnerability is rated as High severity with a CVSS score of 8.1. A successful exploit could have a significant business impact, including a major data breach of sensitive information managed by the Bacula backup system. Attackers could steal, alter, or delete critical backup data, undermining the organization's disaster recovery and business continuity capabilities. The potential consequences include severe reputational damage, financial loss, and potential regulatory penalties depending on the nature of the compromised data.

Immediate Action: The primary and most effective remediation is to apply the vendor-supplied patches for Bacula-web immediately. In addition, organizations should review the database access controls for the user account leveraged by Bacula-web, ensuring it operates under the principle of least privilege. It is also recommended to enable detailed database query logging to create an audit trail for security analysis and incident response.

Proactive Monitoring: Security teams should proactively monitor web server access logs, application logs, and database logs for any signs of attempted exploitation. Specifically, look for suspicious requests containing SQL syntax, keywords (e.g., UNION, SELECT, '--), or malformed input strings directed at the Bacula-web interface. Network traffic monitoring should be configured to detect anomalous data flows from the database server, which could indicate data exfiltration.

Compensating Controls: If immediate patching is not feasible, organizations should implement compensating controls. Deploying a Web Application Firewall (WAF) with a robust SQL injection rule set can help detect and block malicious requests before they reach the application. Additionally, restricting network access to the Bacula-web management interface to only trusted internal IP addresses or requiring access via a secure VPN can significantly reduce the attack surface.

Public Exploit Available: false

Given the high severity (CVSS 8.1) of this vulnerability and the critical role of the Bacula system in organizational data protection and disaster recovery, we strongly recommend that immediate action is taken. The primary course of action is to apply the vendor-provided security patches across all affected Bacula-web instances without delay. While this CVE is not currently listed on the CISA KEV catalog, its high impact and the likelihood of future exploitation demand urgent attention to prevent potential data compromise and operational disruption.