CVE-2025-62521 in ChurchCRM
Summary
by MITRE • 12/17/2025
ChurchCRM is an open-source church management system. Prior to version 5.21.0, a pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to complete server compromise. The vulnerability exists in `setup/routes/setup.php` where user input from the setup form is directly concatenated into a PHP configuration template without any validation or sanitization. Any parameter in the setup form can be used to inject PHP code that gets written to `Include/Config.php`, which is then executed on every page load. This is more severe than typical authenticated RCE vulnerabilities because it requires no credentials and affects the installation process that administrators must complete. Version 5.21.0 patches the issue.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 12/20/2025
The vulnerability identified as CVE-2025-62521 represents a critical pre-authentication remote code execution flaw within ChurchCRM, an open-source church management system that serves thousands of religious organizations worldwide. This vulnerability specifically affects versions prior to 5.21.0 and exposes the system to severe security risks during its initial setup phase. The flaw stems from inadequate input validation and sanitization practices within the application's installation wizard, creating a pathway for unauthenticated attackers to gain complete control over affected servers. The vulnerability's severity is amplified by its pre-authentication nature, meaning that no valid credentials or prior access are required to exploit the flaw, making it particularly dangerous for organizations that may not have robust network security measures in place.
The technical implementation of this vulnerability occurs within the `setup/routes/setup.php` file where user input from the setup form is directly concatenated into a PHP configuration template without any form of validation or sanitization. This dangerous practice allows attackers to inject arbitrary PHP code through various parameters in the setup form, which then gets written to the `Include/Config.php` file. The configuration file serves as the core configuration point for the entire application, making it a prime target for malicious code injection. Once the malicious PHP code is written to this file, it becomes executable on every page load of the application, effectively providing attackers with persistent access to the server. This injection mechanism operates at the configuration level rather than through traditional application interfaces, making it particularly stealthy and difficult to detect through standard security monitoring.
The operational impact of this vulnerability extends far beyond simple code execution, as it provides attackers with complete server compromise capabilities during the critical installation phase when administrators are typically focused on setting up the system rather than security considerations. The vulnerability's exploitation requires no authentication, which means that any attacker with network access to the target server can leverage this flaw without needing to overcome additional security barriers. This characteristic makes the vulnerability particularly attractive to automated attack tools and increases the likelihood of successful exploitation across a wide range of organizations. The persistence of the injected code through the `Include/Config.php` file ensures that even if administrators attempt to reinstall or reset the system, the malicious code will continue to execute on every page load, maintaining the attacker's control over the compromised server. Organizations using vulnerable versions of ChurchCRM face significant risks including data theft, system manipulation, and potential use as a launching point for further attacks within their network infrastructure.
The remediation for this vulnerability is straightforward yet critical, requiring organizations to upgrade to ChurchCRM version 5.21.0 or later, which includes proper input validation and sanitization mechanisms within the setup process. This update addresses the core issue by implementing proper parameter validation and sanitization before any user input is written to configuration files, thereby preventing the injection of malicious code. Security practitioners should also conduct thorough audits of any systems that may have been compromised during the vulnerable version's deployment period, ensuring that no malicious code remains in the configuration files or system logs. Additionally, organizations should implement network segmentation and monitoring to detect unusual traffic patterns that might indicate exploitation attempts, particularly during system installation phases. The vulnerability aligns with CWE-94, which describes the weakness of allowing code to be injected into a system, and represents a clear violation of secure coding practices that should be enforced across all application development lifecycle phases. Organizations should also consider implementing web application firewalls and input validation controls as additional layers of protection, particularly for systems that may not receive immediate updates or patches.