CVE-2025-66397 in ChurchCRM
Summary
by MITRE • 12/17/2025
ChurchCRM is an open-source church management system. Prior to version 6.5.3, the allowRegistration, acceptKiosk, reloadKiosk, and identifyKiosk functions in the Kiosk Manager feature suffers from broken access control, allowing any authenticated user to allow and accept kiosk registrations, and perform other Kiosk Manager actions such as reload and identify. Version 6.5.3 fixes the issue.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 12/17/2025
The vulnerability identified as CVE-2025-66397 affects ChurchCRM, an open-source church management system that serves religious organizations worldwide. This issue resides within the Kiosk Manager feature, which is designed to facilitate kiosk operations for church members and visitors. The affected system provides functionality for managing kiosk registrations and operations through four specific functions: allowRegistration, acceptKiosk, reloadKiosk, and identifyKiosk. These functions are critical components that enable church administrators to control kiosk access and management within their digital infrastructure.
The technical flaw represents a classic broken access control vulnerability classified under CWE-285, which occurs when an application fails to properly verify whether an authenticated user has sufficient privileges to perform specific operations. In this case, the system does not adequately validate user permissions before executing kiosk management functions. Any authenticated user, regardless of their role or authorization level within the church management system, can exploit this weakness to perform administrative actions typically restricted to authorized personnel. This bypass occurs because the application lacks proper authorization checks before executing the vulnerable functions, allowing privilege escalation through unauthorized access to kiosk management capabilities.
The operational impact of this vulnerability extends beyond simple unauthorized access, as it creates potential security risks for church organizations managing sensitive data through their kiosk systems. An authenticated attacker could manipulate kiosk registrations, potentially allowing unauthorized individuals to gain access to church resources or information. The ability to reload kiosks and identify kiosk devices could enable attackers to disrupt services, manipulate data flows, or gain persistent access to church management systems. This vulnerability undermines the security model of the application, potentially exposing church member information and operational data to unauthorized modification or access. The impact is particularly concerning for organizations that rely heavily on kiosk systems for member registration, event management, or other sensitive church operations.
Organizations using ChurchCRM versions prior to 6.5.3 should immediately implement mitigations including upgrading to version 6.5.3 or later, which contains the necessary patches to address the access control flaws. Additionally, administrators should review user permissions and roles within the system to ensure that only authorized personnel have access to kiosk management functions. Network segmentation and monitoring of kiosk-related activities can provide additional layers of defense. The vulnerability demonstrates the importance of implementing proper authorization controls for all administrative functions, particularly in systems handling sensitive organizational data. This issue aligns with ATT&CK technique T1078.004 for valid accounts and T1531 for credential access, highlighting the need for robust access control mechanisms in web applications. Organizations should also consider implementing automated vulnerability scanning and regular security assessments to identify similar access control issues in their software ecosystems.