CVE-2025-62521
published 2025-12-17CVE-2025-62521: ChurchCRM is an open-source church management system. Prior to version 5.21.0, a pre-authentication remote code execution vulnerability in ChurchCRM's setup…
PriorityP277critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
4.15%
89.6th percentile
ChurchCRM is an open-source church management system. Prior to version 5.21.0, a pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to complete server compromise. The vulnerability exists in `setup/routes/setup.php` where user input from the setup form is directly concatenated into a PHP configuration template without any validation or sanitization. Any parameter in the setup form can be used to inject PHP code that gets written to `Include/Config.php`, which is then executed on every page load. This is more severe than typical authenticated RCE vulnerabilities because it requires no credentials and affects the installation process that administrators must complete. Version 5.21.0 patches the issue.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| churchcrm | churchcrm | < 5.21.0 | 5.21.0 |
| churchcrm | churchcrm | < 7.1.0 | 7.1.0 |
| churchcrm | crm | < 7.1.0 | 7.1.0 |
| churchcrm | crm | < 7.3.2 | 7.3.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for POST requests to the ChurchCRM setup page (setup/routes/setup.php) from unauthenticated sessions, especially containing PHP code patterns (e.g., '<?php', 'system(', 'exec(', 'passthru(') in the DB_PASSWORD or other form fields. ↗
- →Alert on unexpected writes or modifications to Include/Config.php, particularly if the file contains PHP executable code beyond standard configuration variable assignments. ↗
- →The injected payload in Include/Config.php is triggered on every subsequent page load — monitor for anomalous process spawning (e.g., web server spawning shells) following requests to any ChurchCRM page after setup. ↗
- →The Metasploit module targets ChurchCRM <= 6.8.0 via the setup page; note that versions up to 6.8.0 remain exploitable despite the 5.21.0 patch, which only added a strlen check on the password field and does not fully remediate the injection. ↗
- ·The patch in version 5.21.0 is incomplete — it only added a strlen check on the DB_PASSWORD field and does not fully prevent PHP code injection, meaning ChurchCRM versions up to at least 6.8.0 remain vulnerable. ↗
- ·The vulnerability is pre-authentication and affects the initial installation/setup wizard, meaning it is exploitable before any administrator account is created — exposure of the setup page to the internet is a critical risk factor. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
No writeups or analysis indexed.
2025-12-17
Published