CVE-2025-45346 is a SQL Injection vulnerability identified in Bacula-web versions prior to 9.7.1. Bacula-web is a web-based interface used to manage Bacula, an open-source backup solution. The vulnerability allows a remote attacker to execute arbitrary code by sending a specially crafted HTTP GET request. This implies that the attacker can manipulate the backend SQL queries executed by the application, potentially bypassing authentication or injecting malicious SQL commands. The ability to execute arbitrary code suggests that the vulnerability extends beyond simple data leakage or unauthorized data manipulation, potentially allowing full system compromise depending on the privileges of the database and the web server process. Since the attack vector is via HTTP GET requests, exploitation can be performed remotely without authentication or user interaction, increasing the risk and ease of exploitation. No CVSS score has been assigned yet, and no known exploits in the wild have been reported as of the publication date. The lack of patch links indicates that remediation may not yet be widely available or that users should upgrade to version 9.7.1 or later where the issue is fixed. Organizations using Bacula-web for backup management should consider this vulnerability critical due to the potential for arbitrary code execution, which can lead to data breaches, service disruption, or further network compromise.

For European organizations, the impact of this vulnerability can be significant. Bacula-web is used by enterprises and public sector organizations to manage backup operations, which are critical for data integrity and disaster recovery. Exploitation could lead to unauthorized access to backup data, manipulation or deletion of backups, and potential lateral movement within the network. This could disrupt business continuity and lead to data loss or exposure of sensitive information. Given the importance of data protection regulations such as GDPR in Europe, a breach resulting from this vulnerability could also lead to regulatory penalties and reputational damage. Additionally, since backups often contain sensitive or critical data, compromise of the backup management interface could have cascading effects on the overall security posture of affected organizations.

European organizations should immediately verify their Bacula-web version and upgrade to version 9.7.1 or later where the vulnerability is patched. Until the upgrade is performed, organizations should restrict access to the Bacula-web interface to trusted networks only, ideally via VPN or other secure channels, to reduce exposure to remote attackers. Implementing Web Application Firewalls (WAF) with rules to detect and block SQL injection attempts can provide additional protection. Regularly auditing and monitoring web server logs for suspicious HTTP GET requests can help detect exploitation attempts early. Organizations should also review database user privileges associated with Bacula-web to ensure the principle of least privilege is enforced, limiting the potential impact of any successful injection. Finally, maintaining up-to-date backups and testing recovery procedures will help mitigate the impact if compromise occurs.