CVE-2025-2353

CVE-2025-2353 is a critical SQL injection vulnerability affecting VAM Virtual Airlines Manager versions up to 2.6.2. The issue resides in an unknown function within the file /vam/index.php, specifically the HTTP GET Parameter Handler component. Attackers can exploit it by manipulating the arguments ID, registry_id, or plane_icao, with other parameters potentially vulnerable as well. The vulnerability was published on 2025-03-17 and carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), associated with CWE-74 and CWE-89.

The vulnerability enables remote exploitation without authentication or user interaction. Unauthenticated attackers can send crafted HTTP GET requests to the affected endpoint, injecting malicious SQL payloads to potentially read sensitive data, modify database contents, or disrupt service availability, albeit with low impact levels across confidentiality, integrity, and availability as per the CVSS score.

VulDB advisories, which serve as the primary references for this CVE, indicate that the exploit has been publicly disclosed and may be actively used. The vendor was contacted early regarding the issue but provided no response, and no patches or mitigations are mentioned in available details.

Notable context includes the public availability of the exploit, increasing the risk of immediate exploitation against unpatched instances of VAM Virtual Airlines Manager.