CVE-2025-68109
📋 TL;DR
ChurchCRM versions before 6.5.3 have a critical vulnerability in the Database Restore functionality that allows attackers to upload malicious files without validation. This enables remote code execution (RCE) by uploading web shells and .htaccess files to gain server control. All ChurchCRM installations using vulnerable versions are affected.
💻 Affected Systems
- ChurchCRM
📦 What is this software?
Churchcrm by Churchcrm
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise allowing data theft, malware deployment, lateral movement to other systems, and persistent backdoor access.
Likely Case
Attacker gains full control of the ChurchCRM server, accesses sensitive member data, and potentially compromises the entire hosting environment.
If Mitigated
Limited impact with proper file upload restrictions, web application firewalls, and network segmentation in place.
🎯 Exploit Status
Exploitation requires authenticated access to ChurchCRM, but the attack chain is straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.5.3
Vendor Advisory: https://github.com/ChurchCRM/CRM/security/advisories/GHSA-pqm7-g8px-9r77
Restart Required: No
Instructions:
1. Backup your ChurchCRM database and files. 2. Download ChurchCRM version 6.5.3 or later from the official repository. 3. Replace all files with the new version. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Disable Database Restore Functionality
allTemporarily disable the vulnerable Database Restore feature until patching is possible.
# Modify ChurchCRM configuration to disable restore functionality
# Check ChurchCRM documentation for specific configuration options
Restrict File Uploads via Web Server
linuxConfigure web server (Apache/Nginx) to block uploads of .htaccess files and executable scripts.
# Apache: Add to .htaccess or httpd.conf
RewriteRule ^.*\.(htaccess|php|sh|pl|py)$ - [F,L]
# Nginx: Add to server block
location ~* \.(htaccess|php|sh|pl|py)$ { deny all; }
🧯 If You Can't Patch
- Implement strict file upload validation at the web application level to reject unauthorized file types.
- Deploy a web application firewall (WAF) with rules to detect and block web shell upload attempts.
🔍 How to Verify
Check if Vulnerable:
Check ChurchCRM version in admin panel or by examining the software files. If version is below 6.5.3, the system is vulnerable.Check Version:
Check ChurchCRM admin dashboard or examine version.php file in the installation directory.Verify Fix Applied:
After updating, verify the version shows 6.5.3 or higher in the admin interface and test that file upload validation is working.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to Database Restore endpoint
- .htaccess file modifications in ChurchCRM directories
- Web shell access patterns in access logs
Network Indicators:
- HTTP POST requests to upload endpoints with suspicious file extensions
- Unusual outbound connections from ChurchCRM server
SIEM Query:
source="web_logs" AND (uri_path="/restore/upload" OR file_extension IN ("php", "htaccess", "sh", "pl", "py"))