CVE-2025-45346 – This SQL injection vulnerability in Bacula-web ... (How to Fix)

Q: What is the severity of CVE-2025-45346?

CVE-2025-45346 has a CVSS score of 8.1 (HIGH). This SQL injection vulnerability in Bacula-web allows remote attackers to execute arbitrary SQL commands via crafted HTTP GET requests. Attackers could potentially read, modify, or delete database content, and in worst cases execute arbitrary code on the server. All systems running Bacula-web versions before 9.7.1 are affected.

📋 TL;DR

This SQL injection vulnerability in Bacula-web allows remote attackers to execute arbitrary SQL commands via crafted HTTP GET requests. Attackers could potentially read, modify, or delete database content, and in worst cases execute arbitrary code on the server. All systems running Bacula-web versions before 9.7.1 are affected.

💻 Affected Systems

Products:

Bacula-web

Versions: All versions before 9.7.1

Operating Systems: All platforms running Bacula-web

Default Config Vulnerable: ⚠️ Yes

Notes: Any installation with web interface accessible is vulnerable. The vulnerability is in the web application layer.

📦 What is this software?

Bacula Web by Bacula

View all CVEs affecting Bacula Web →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing remote code execution, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Database compromise leading to data theft, modification, or deletion of Bacula backup metadata and configuration.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only allowing data viewing.

🌐 Internet-Facing: HIGH - Remote exploitation via HTTP requests makes internet-facing instances particularly vulnerable.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection vulnerabilities are typically easy to exploit with automated tools. The description indicates remote exploitation via HTTP GET requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.7.1

Vendor Advisory: https://github.com/bacula-web/bacula-web/releases/tag/v9.7.1

Restart Required: Yes

Instructions:

1. Backup current configuration and data. 2. Download Bacula-web v9.7.1 from GitHub releases. 3. Replace existing installation with new version. 4. Restart web server service. 5. Verify functionality.

🔧 Temporary Workarounds

Web Application Firewall

all

Deploy WAF with SQL injection protection rules to block malicious requests.

Network Segmentation

linux

Restrict access to Bacula-web interface to trusted IP addresses only.

iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

Implement strict input validation and parameterized queries at application level
Apply database-level controls: use least privilege accounts, enable audit logging

🔍 How to Verify

Check if Vulnerable:

Check Bacula-web version in web interface or configuration files. Versions below 9.7.1 are vulnerable.

Check Version:

grep 'version' /path/to/bacula-web/config/config.php or check web interface footer

Verify Fix Applied:

Verify version is 9.7.1 or higher. Test SQL injection attempts should be blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
HTTP requests with SQL keywords in parameters
Multiple failed login attempts with SQL syntax

Network Indicators:

HTTP GET requests containing SQL keywords (SELECT, UNION, INSERT, etc.)
Unusual traffic patterns to Bacula-web endpoints

SIEM Query:

source="web_access.log" AND (url="*SELECT*" OR url="*UNION*" OR url="*INSERT*" OR url="*DELETE*")

📊 Metadata

CVE ID: CVE-2025-45346

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

EPSS Score: 0.2% exploit probability (41.5th percentile)

Published: July 29, 2025

Last Updated: August 6, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-45346, you might also want to check these: