Description
ChurchCRM is an open-source church management system. Prior to version 5.21.0, a pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to complete server compromise. The vulnerability exists in `setup/routes/setup.php` where user input from the setup form is directly concatenated into a PHP configuration template without any validation or sanitization. Any parameter in the setup form can be used to inject PHP code that gets written to `Include/Config.php`, which is then executed on every page load. This is more severe than typical authenticated RCE vulnerabilities because it requires no credentials and affects the installation process that administrators must complete. Version 5.21.0 patches the issue.
EPSS Score:
0%
Comprehensive Technical Analysis of EUVD-2025-203917
1. Vulnerability Assessment and Severity Evaluation
The vulnerability identified in ChurchCRM, an open-source church management system, is a pre-authentication remote code execution (RCE) flaw. This vulnerability allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to complete server compromise. The severity of this vulnerability is rated with a CVSS Base Score of 10.0, indicating a critical risk. The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H underscores the following:
- Attack Vector (AV:N): Network-based attack.
- Attack Complexity (AC:L): Low complexity required to exploit.
- Privileges Required (PR:N): No privileges required.
- User Interaction (UI:N): No user interaction required.
- Scope (S:C): Change in scope, affecting other components.
- Confidentiality (C:H): High impact on confidentiality.
- Integrity (I:H): High impact on integrity.
- Availability (A:H): High impact on availability.
2. Potential Attack Vectors and Exploitation Methods
The primary attack vector involves exploiting the setup wizard during the initial installation of ChurchCRM. Specifically, the vulnerability resides in setup/routes/setup.php, where user input from the setup form is directly concatenated into a PHP configuration template without validation or sanitization. An attacker can inject malicious PHP code into any parameter of the setup form, which then gets written to Include/Config.php. This file is executed on every page load, allowing the injected code to run with the same privileges as the web server.
Potential exploitation methods include:
- Direct Code Injection: Injecting PHP code directly into the setup form parameters.
- Command Execution: Executing system commands via injected PHP code.
- Data Exfiltration: Stealing sensitive data by injecting code that sends data to a remote server.
- Persistent Backdoors: Installing backdoors for future access.
3. Affected Systems and Software Versions
The vulnerability affects all versions of ChurchCRM prior to version 5.21.0. Any system running an affected version of ChurchCRM is at risk, particularly during the initial installation process. This includes:
- ChurchCRM versions: < 5.21.0
- Deployment environments: Any server or cloud instance where ChurchCRM is installed.
4. Recommended Mitigation Strategies
To mitigate the risk associated with this vulnerability, the following strategies are recommended:
- Immediate Upgrade: Upgrade to ChurchCRM version 5.21.0 or later, which includes the patch for this vulnerability.
- Input Validation: Ensure that all user inputs are properly validated and sanitized.
- Code Review: Conduct a thorough code review to identify and fix similar vulnerabilities.
- Network Segmentation: Implement network segmentation to limit the spread of potential attacks.
- Monitoring and Logging: Enhance monitoring and logging to detect and respond to suspicious activities.
- Access Controls: Restrict access to the setup wizard and ensure that only authorized personnel can perform installations.
5. Impact on European Cybersecurity Landscape
The vulnerability poses a significant risk to organizations using ChurchCRM, particularly those within the European Union. The potential for complete server compromise can lead to data breaches, loss of sensitive information, and disruption of services. This underscores the importance of robust cybersecurity practices and timely patch management. The European cybersecurity landscape must emphasize the need for continuous monitoring, regular updates, and adherence to best practices to mitigate such risks.
6. Technical Details for Security Professionals
For security professionals, the following technical details are crucial:
- Vulnerable Component:
setup/routes/setup.php - Exploitation Point: User input from the setup form is directly concatenated into a PHP configuration template.
- Affected File:
Include/Config.php - Patch Information: The vulnerability is patched in ChurchCRM version 5.21.0.
- Detection: Implement intrusion detection systems (IDS) to monitor for suspicious activities related to the setup wizard.
- Response: Develop an incident response plan that includes steps for identifying, containing, and remediating the vulnerability.
Conclusion
The pre-authentication RCE vulnerability in ChurchCRM is a critical risk that requires immediate attention. Organizations must prioritize upgrading to the patched version and implement robust security measures to protect against potential exploitation. The European cybersecurity community should use this as an opportunity to reinforce the importance of proactive security practices and continuous vigilance.
References
- GitHub Advisory: GHSA-m8jq-j3p9-2xf3
- CVE ID: CVE-2025-62521
- ENISA ID Product: 1001bb7e-976b-3b02-ad3a-3afb29acef97
- ENISA ID Vendor: ed17779d-6cae-3a57-8ece-87f517c17c0c