CVE-2025-62521

CriticalPublic PoC

Published: 17 December 2025

Published

17 December 2025

Modified

18 December 2025

KEV Added

—

Patch

—

CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.5872 98.2th percentile

Risk Priority 55 60% EPSS · 20% KEV · 20% CVSS

Description

ChurchCRM is an open-source church management system. Prior to version 5.21.0, a pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to complete server compromise. The…

vulnerability exists in `setup/routes/setup.php` where user input from the setup form is directly concatenated into a PHP configuration template without any validation or sanitization. Any parameter in the setup form can be used to inject PHP code that gets written to `Include/Config.php`, which is then executed on every page load. This is more severe than typical authenticated RCE vulnerabilities because it requires no credentials and affects the installation process that administrators must complete. Version 5.21.0 patches the issue.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses the lack of validation and sanitization of user input from the setup form, preventing arbitrary PHP code injection into the configuration file.

SI-2 Flaw Remediation good match

prevent

Ensures timely patching to version 5.21.0, which remediates the code injection flaw in the setup wizard.

SI-7 Software, Firmware, and Information Integrity partial match

detect

Monitors the integrity of Include/Config.php to detect unauthorized modifications from injected PHP code.

Security SummaryAI

CVE-2025-62521 is a pre-authentication remote code execution vulnerability affecting ChurchCRM, an open-source church management system, in versions prior to 5.21.0. The flaw resides in the setup wizard at `setup/routes/setup.php`, where user input from the setup form is directly concatenated into a PHP configuration template without validation or sanitization. This allows arbitrary PHP code injection into `Include/Config.php`, which is subsequently executed on every page load, earning a maximum CVSS v3.1 score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) and mapping to CWE-94 (Code Injection).

Unauthenticated attackers can exploit this during the initial installation process, which administrators must complete without credentials. By submitting malicious PHP code in any setup form parameter, attackers achieve full server compromise, as the injected code persists and executes persistently across the application.

The GitHub Security Advisory (GHSA-m8jq-j3p9-2xf3) confirms that ChurchCRM version 5.21.0 addresses the issue with a patch, recommending immediate upgrades for all prior installations.

Details

CWE(s): CWE-94

Affected Products

churchcrm

≤ 5.21.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Pre-authentication RCE in a public-facing web application (ChurchCRM setup wizard) directly maps to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-m8jq-j3p9-2xf3
Exploit, Vendor Advisory · security-advisories@github.com