CVE-2025-62521
BaseFortify
Publication date: 2025-12-17
Last updated on: 2025-12-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| churchcrm | churchcrm | to 5.21.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a critical unauthenticated remote code execution (RCE) flaw in ChurchCRM's setup wizard prior to version 5.21.0. During the initial installation, user input from the setup form is directly inserted into a PHP configuration file without validation or sanitization. Attackers can inject arbitrary PHP code into parameters like DB_PASSWORD, which gets written into Include/Config.php and executed on every page load. This allows attackers to execute any PHP code on the server with web server privileges without needing any authentication. [1]
How can this vulnerability impact me? :
The vulnerability can lead to complete server compromise without requiring any credentials. An attacker can execute arbitrary system commands as the web server user, access all server files, move laterally within the network, and install persistent backdoors before the application is fully configured. This results in full server takeover, loss of confidentiality, integrity, and availability of the affected system. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the ChurchCRM installation is running a version prior to 5.21.0 and if the setup wizard has been exploited to inject PHP code into the Include/Config.php file. One way to detect exploitation is to inspect the Include/Config.php file for suspicious PHP code injections, such as unexpected system command executions. Additionally, you can attempt to send HTTP requests with command parameters to see if arbitrary commands are executed, for example: curl "http://[target]/?cmd=whoami". If the response returns the output of the command, the system is vulnerable or compromised. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading ChurchCRM to version 5.21.0 or later, which patches the vulnerability. Until the upgrade can be performed, restrict access to the setup wizard URL to trusted users only or block it entirely to prevent unauthenticated access. Additionally, inspect the Include/Config.php file for injected code and restore it from a clean backup if necessary. Monitor for any signs of compromise and consider rebuilding the server if a compromise is confirmed. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.