CVE-2025-68109
published 2025-12-17CVE-2025-68109: ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file…
PriorityP357high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
1.38%
68.7th percentile
ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an attacker can upload a web shell file and subsequently upload a .htaccess file to enable direct access to it. Once accessed, the uploaded web shell allows remote code execution (RCE) on the server. Version 6.5.3 fixes the issue.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| churchcrm | churchcrm | < 6.5.3 | 6.5.3 |
| churchcrm | crm | < 6.5.3 | 6.5.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated or authenticated file uploads to the ChurchCRM Database Restore endpoint that include non-database file extensions (e.g., .php, .htaccess). A .htaccess upload following a web shell upload is a strong indicator of exploitation. ↗
- →The exploit requires an authenticated user with administrative privileges; alert on admin-level sessions performing file uploads to the Database Restore functionality in ChurchCRM. ↗
- →A public Metasploit module (multi/http/churchcrm_db_restore_rce) exists for this CVE; scan for Metasploit-characteristic HTTP patterns (e.g., default User-Agent, staged payload requests) against ChurchCRM instances. ↗
- →The attack chain involves bypassing upload restrictions via a crafted .htaccess file to enable PHP execution in the upload directory; detect .htaccess files written to web-accessible directories on the server. ↗
- ·The Metasploit module targets ChurchCRM version 6.2.0 and earlier, while the NVD advisory states the fix is in version 6.5.3; ensure detection and patching scope covers all versions prior to 6.5.3. ↗
- ·Exploitation requires an authenticated administrative session; however, if ChurchCRM admin credentials are weak or reused, the effective attack surface is broader than it appears. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
2025-12-17
Published