CVE-2025-68109

ChurchCRM vulnerable to RCE with database restore functionality

CVSS 9.1 CRITICALEPSS 1.4%CWE-434 CWE-494 CWE-552 CWE-78 CWE-915

Vexday Risk Score

43Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 9.1EPSS 1.4%KEV nãoPoC —Nuclei —Metasploit simPatch —

Lifecycle

17 Dec 2025Metasploit module available

17 Dec 2025Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an attacker can upload a web shell file and subsequently upload a .htaccess file to enable direct access to it. Once accessed, the uploaded web shell allows remote code execution (RCE) on the server. Version 6.5.3 fixes the issue.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Affected products

ChurchCRM · CRM

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-pqm7-g8px-9r77