Platform
php
Component
crm
Opgelost in
5.21.1
CVE-2025-62521 is a critical Remote Code Execution (RCE) vulnerability affecting ChurchCRM, an open-source church management system. This flaw allows unauthenticated attackers to inject malicious PHP code during the initial setup process, potentially leading to complete server compromise. The vulnerability impacts versions of ChurchCRM prior to 5.21.0, and a patch is available to address the issue.
The impact of CVE-2025-62521 is severe. An attacker can exploit this vulnerability to gain complete control over the affected ChurchCRM server. This includes the ability to execute arbitrary commands, access sensitive data stored on the server (such as church member information, financial records, and internal communications), and potentially pivot to other systems on the network. The lack of authentication required for exploitation significantly broadens the attack surface, making it accessible to a wide range of threat actors. Successful exploitation could result in data breaches, denial of service, and the installation of malware, effectively crippling the church's operations and potentially exposing sensitive personal information.
CVE-2025-62521 was published on December 17, 2025. The vulnerability's ease of exploitation, combined with the critical CVSS score of 10, suggests a high probability of exploitation. It is not currently listed on KEV or EPSS, but its severity warrants close monitoring. Public proof-of-concept (POC) code is likely to emerge given the vulnerability's nature and the lack of authentication required. Active campaigns targeting ChurchCRM are currently unconfirmed, but the potential for exploitation is significant.
Exploit Status
EPSS
62.79% (98% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-62521 is to immediately upgrade ChurchCRM to version 5.21.0 or later. If upgrading is not immediately feasible, consider temporarily disabling the setup wizard to prevent new installations from being vulnerable. As a short-term workaround, implement strict input validation and sanitization on all user inputs within the setup wizard, although this is not a substitute for patching. Monitor web server logs for suspicious activity related to the /setup/ directory. Consider implementing a Web Application Firewall (WAF) with rules to detect and block attempts to inject PHP code into configuration files. After upgrading, verify the fix by attempting a new installation and confirming that the setup process does not allow arbitrary code execution.
Actualice ChurchCRM a la versión 5.21.0 o superior. Esta versión contiene una corrección para la vulnerabilidad de ejecución remota de código. Se recomienda realizar la actualización lo antes posible para evitar posibles ataques.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
It's a CRITICAL Remote Code Execution (RCE) vulnerability in ChurchCRM's setup wizard, allowing attackers to inject PHP code without authentication.
You are affected if you are running ChurchCRM versions prior to 5.21.0. Immediately assess your environment.
Upgrade to ChurchCRM version 5.21.0 or later. If immediate upgrade isn't possible, disable the setup wizard as a temporary measure.
Active campaigns are currently unconfirmed, but the high severity and ease of exploitation suggest a high risk of future exploitation.
Refer to the official ChurchCRM security advisory and the NVD entry for CVE-2025-62521 for detailed information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.