cbcvebase.
CVE-2025-1023
published 2025-02-18

CVE-2025-1023: A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a time-based blind SQL Injection…

PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.18%
80.1th percentile
A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a time-based blind SQL Injection vulnerability in the EditEventTypes functionality. The newCountName parameter is directly concatenated into an SQL query without proper sanitization, allowing an attacker to manipulate database queries and execute arbitrary commands, potentially leading to data exfiltration, modification, or deletion.

Affected

17 ranges
VendorProductVersion rangeFixed in
churchcrmchurchcrm<= 5.13.0
churchcrmchurchcrm
msrcwindows_10
msrcwindows_10_version_1607
msrcwindows_10_version_1809
msrcwindows_10_version_21h2
msrcwindows_10_version_22h2
msrcwindows_11_version_22h2
msrcwindows_11_version_23h2
msrcwindows_11_version_24h2
msrcwindows_11_version_25h2
msrcwindows_server_2016
msrcwindows_server_2019
msrcwindows_server_2022
msrcwindows_server_2022_23h2_edition
msrcwindows_server_2025
vllmvllm>= 0.7.0 < 0.9.00.9.0

Detection & IOCsextracted from sources · hover to see the quote

url/EditEventTypes.php
commandEN_tyid=1&newEvtName=Test&newEvtStartTime=10:30:00&newCountName=1%27%20AND%20(SELECT%20SLEEP(8))%20AND%20%271%27%3D%271&Action=ADD
  • Detect time-based blind SQLi exploitation: POST requests to /EditEventTypes.php with a `newCountName` parameter containing SQL sleep payloads (e.g., SLEEP(8)) should be flagged. A server response time >= 8 seconds combined with HTTP 500 status is a strong indicator of successful exploitation.
  • Monitor POST requests to /EditEventTypes.php for the `newCountName` parameter containing SQL metacharacters or injection patterns (e.g., single quotes, AND, SELECT, SLEEP).
  • Shodan/FOFA exposure query: use `http.title:"churchcrm"` (Shodan) or `app="churchcrm"` (FOFA) to identify internet-exposed ChurchCRM instances that may be targeted.
  • The attack requires authentication; monitor for login attempts to /session/begin immediately followed by POST requests to /EditEventTypes.php with suspicious `newCountName` values as a two-step attack chain.
  • ·The CVSS score in the Nuclei template is rated 9.8 (Critical, no auth required), but the template itself and tags indicate the attack IS authenticated (`authenticated` tag, login step in the HTTP chain). Detections should account for a prior valid session.
  • ·The Nuclei template uses a 30-second timeout and an 8-second SLEEP payload; detection rules based on response time must account for network latency to avoid false positives.
  • ·Affected versions are ChurchCRM 5.13.0 and prior; version fingerprinting should be used to prioritize alerts on unpatched instances.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:H/U:Red
vulncheck9.3CRITICAL
vendor_redhat7.8HIGH
vendor_msrc6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.