CVE-2025-62521 – CVE-2025-62521 is a critical pre-authentication... (How to Fix)

Q: What is the severity of CVE-2025-62521?

CVE-2025-62521 has a CVSS score of 10.0 (CRITICAL). CVE-2025-62521 is a critical pre-authentication remote code execution vulnerability in ChurchCRM that allows unauthenticated attackers to inject arbitrary PHP code during the initial setup process. This leads to complete server compromise as the malicious code gets written to a configuration file and executes on every page load. All ChurchCRM installations prior to version 5.21.0 that are undergoing or have completed the setup wizard are affected.

📋 TL;DR

CVE-2025-62521 is a critical pre-authentication remote code execution vulnerability in ChurchCRM that allows unauthenticated attackers to inject arbitrary PHP code during the initial setup process. This leads to complete server compromise as the malicious code gets written to a configuration file and executes on every page load. All ChurchCRM installations prior to version 5.21.0 that are undergoing or have completed the setup wizard are affected.

💻 Affected Systems

Products:

ChurchCRM

Versions: All versions prior to 5.21.0

Operating Systems: Any OS running PHP (Linux, Windows, macOS)

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the setup wizard which is required for initial installation. Systems that have completed setup remain vulnerable if the vulnerable code path can be accessed.

📦 What is this software?

Churchcrm by Churchcrm

View all CVEs affecting Churchcrm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server takeover with attacker gaining full control over the web server, database, and underlying operating system, potentially leading to data theft, ransomware deployment, or use as a foothold for lateral movement.

🟠

Likely Case

Attackers deploy web shells or cryptocurrency miners, steal sensitive church member data, deface websites, or use the compromised server for further attacks.

🟢

If Mitigated

If the setup wizard was completed before exposure to untrusted networks, risk is reduced but still present if the vulnerable code path can be triggered.

🌐 Internet-Facing: HIGH - The vulnerability is exploitable without authentication during the setup process, which is typically internet-facing for initial installation.

🏢 Internal Only: MEDIUM - Even internal-only deployments are vulnerable during setup, though attack surface is reduced compared to internet-facing systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires no authentication and involves simple PHP code injection into a configuration file. Exploitation is straightforward for attackers with basic web application testing skills.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.21.0

Vendor Advisory: https://github.com/ChurchCRM/CRM/security/advisories/GHSA-m8jq-j3p9-2xf3

Restart Required: No

Instructions:

1. Backup your ChurchCRM installation and database. 2. Download ChurchCRM version 5.21.0 or later from the official repository. 3. Replace all files with the new version, preserving your configuration and data files. 4. Verify the installation works correctly.

🔧 Temporary Workarounds

Remove Setup Directory

linux

Delete or restrict access to the setup directory after installation to prevent exploitation

rm -rf /path/to/churchcrm/setup/
chmod 000 /path/to/churchcrm/setup/

Web Server Access Restriction

all

Configure web server to block access to the setup directory

# Apache: Add to .htaccess
<Directory "/path/to/churchcrm/setup">
    Order deny,allow
    Deny from all
</Directory>
# Nginx: Add to server block
location /setup/ {
    deny all;
    return 403;
}

🧯 If You Can't Patch

Immediately remove or restrict access to the /setup/ directory using web server configuration or file permissions
Isolate the ChurchCRM server from untrusted networks and implement strict network access controls

🔍 How to Verify

Check if Vulnerable:

Check if ChurchCRM version is below 5.21.0 and if the /setup/ directory is accessible via web browser or curl

Check Version:

grep '\$sSoftwareVersion' /path/to/churchcrm/Include/Config.php | head -1

Verify Fix Applied:

Verify ChurchCRM version is 5.21.0 or higher and attempt to access /setup/ directory returns 403 or is not accessible

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /setup/ endpoints
Multiple failed attempts to access setup.php
Unexpected file modifications to Include/Config.php

Network Indicators:

HTTP requests containing PHP code in parameters to setup endpoints
Traffic to setup directory from unexpected sources

SIEM Query:

source="web_server_logs" AND (uri_path="/setup/*" OR uri_path="/setup.php") AND (http_method="POST" OR parameters CONTAINS "<?php" OR parameters CONTAINS "eval(")

📊 Metadata

CVE ID: CVE-2025-62521

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-94

EPSS Score: 0.39% exploit probability (59.3th percentile)

Published: December 17, 2025

Last Updated: December 18, 2025

🔗 References

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-m8jq-j3p9-2xf3 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-62521, you might also want to check these: