cbcvebase.
CVE-2025-68109
published 2025-12-17

CVE-2025-68109: ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file…

PriorityP357high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
1.38%
68.7th percentile
ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an attacker can upload a web shell file and subsequently upload a .htaccess file to enable direct access to it. Once accessed, the uploaded web shell allows remote code execution (RCE) on the server. Version 6.5.3 fixes the issue.

Affected

2 ranges
VendorProductVersion rangeFixed in
churchcrmchurchcrm< 6.5.36.5.3
churchcrmcrm< 6.5.36.5.3

Detection & IOCsextracted from sources · hover to see the quote

pathmulti/http/churchcrm_db_restore_rce
filename.htaccess
  • Monitor for unauthenticated or authenticated file uploads to the ChurchCRM Database Restore endpoint that include non-database file extensions (e.g., .php, .htaccess). A .htaccess upload following a web shell upload is a strong indicator of exploitation.
  • The exploit requires an authenticated user with administrative privileges; alert on admin-level sessions performing file uploads to the Database Restore functionality in ChurchCRM.
  • A public Metasploit module (multi/http/churchcrm_db_restore_rce) exists for this CVE; scan for Metasploit-characteristic HTTP patterns (e.g., default User-Agent, staged payload requests) against ChurchCRM instances.
  • The attack chain involves bypassing upload restrictions via a crafted .htaccess file to enable PHP execution in the upload directory; detect .htaccess files written to web-accessible directories on the server.
  • ·The Metasploit module targets ChurchCRM version 6.2.0 and earlier, while the NVD advisory states the fix is in version 6.5.3; ensure detection and patching scope covers all versions prior to 6.5.3.
  • ·Exploitation requires an authenticated administrative session; however, if ChurchCRM admin credentials are weak or reused, the effective attack surface is broader than it appears.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.