CVE-2025-68109
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-17

Last updated on: 2025-12-18

Assigner: GitHub, Inc.

Description
ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an attacker can upload a web shell file and subsequently upload a .htaccess file to enable direct access to it. Once accessed, the uploaded web shell allows remote code execution (RCE) on the server. Version 6.5.3 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-17
Last Modified
2025-12-18
Generated
2026-06-16
AI Q&A
2025-12-18
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68109
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
churchcrm churchcrm to 6.5.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-915 The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
CWE-552 The product makes files or directories accessible to unauthorized actors, even though they should not be.
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CWE-494 The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in ChurchCRM versions prior to 6.5.3 involves the Database Restore functionality not validating the content or file extension of uploaded files. An attacker can exploit this by uploading a malicious web shell file and then a .htaccess file to enable direct access to the web shell. This allows the attacker to execute remote code on the server.

Impact Analysis

The vulnerability can lead to remote code execution on the server hosting ChurchCRM, which means an attacker could run arbitrary commands, potentially taking control of the server, accessing sensitive data, or disrupting services.

Mitigation Strategies

Upgrade ChurchCRM to version 6.5.3 or later, as this version fixes the vulnerability related to the Database Restore functionality allowing remote code execution via uploaded web shells and .htaccess files.

Compliance Impact

This vulnerability allows attackers to gain full remote code execution on the server, leading to complete system compromise including unauthorized access, modification, or deletion of sensitive data such as user data, financial records, and audit logs. Such unauthorized access and potential data breaches can result in non-compliance with common standards and regulations like GDPR and HIPAA, which mandate protection of personal and sensitive information. Therefore, exploitation of this vulnerability poses a significant risk to compliance with these regulations. [1]

Detection Guidance

Detection of this vulnerability involves checking for the presence of uploaded web shell files and .htaccess files that enable access to them on the ChurchCRM server, especially if the version is prior to 6.5.3. You can scan the web server directories for suspicious files that are not typical database backups, such as files with web shell code or unexpected .htaccess files. Commands to help detect this include: 1) Searching for recently modified or uploaded files in the upload or backup directories, e.g., `find /path/to/churchcrm/uploads -type f -mtime -30` to find files modified in the last 30 days. 2) Grepping for common web shell signatures or suspicious PHP code, e.g., `grep -r --include=*.php 'eval(' /path/to/churchcrm/uploads` or `grep -r 'shell_exec' /path/to/churchcrm/uploads`. 3) Checking for .htaccess files that enable execution or access, e.g., `find /path/to/churchcrm/uploads -name '.htaccess' -exec cat {} \;`. 4) Reviewing web server logs for unusual access patterns to uploaded files that could indicate exploitation attempts. These steps can help identify if an attacker has uploaded malicious files exploiting the vulnerability. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68109. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart