Cyber Resilience

CVE-2025-1023

CriticalPublic PoC

Published: 18 February 2025

Published
18 February 2025
Modified
21 February 2025
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:H/U:Red
EPSS Score 0.0275 86.3th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1023 is a critical-severity SQL Injection (CWE-89) vulnerability in Churchcrm Churchcrm. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

ChurchCRM versions 5.13.0 and prior are affected by a time-based blind SQL injection vulnerability in the EditEventTypes functionality. The newCountName parameter is directly concatenated into an SQL query without sanitization, allowing construction of arbitrary database queries under CWE-89.

An authenticated user with administrative privileges can exploit the flaw remotely to execute crafted SQL statements, resulting in data exfiltration, modification, or deletion. The CVSS 9.3 rating reflects network attack vector, low complexity, and high impact across confidentiality, integrity, and availability with no user interaction required.

The single reference points to a GitHub issue opened for the vulnerability, though no specific patch or mitigation guidance is detailed in the available information. The EPSS score has remained flat at 0.0275 with no material rise after disclosure.

EU & UK References

Vulnerability details

A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a time-based blind SQL Injection vulnerability in the EditEventTypes functionality. The newCountName parameter is directly concatenated into an SQL query without…

more

proper sanitization, allowing an attacker to manipulate database queries and execute arbitrary commands, potentially leading to data exfiltration, modification, or deletion.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

SQL injection vulnerability in web application (ChurchCRM) enables exploitation of public-facing app (T1190), data collection from databases (T1213.006), stored data manipulation (T1565.001), and data destruction (T1485) via arbitrary SQL queries for exfiltration, modification, or deletion.

CVEs Like This One

CVE-2025-1135Same product: Churchcrm Churchcrm
CVE-2026-39343Same product: Churchcrm Churchcrm
CVE-2026-39329Same product: Churchcrm Churchcrm
CVE-2026-24854Same product: Churchcrm Churchcrm
CVE-2025-1134Same product: Churchcrm Churchcrm
CVE-2025-1133Same product: Churchcrm Churchcrm
CVE-2026-39319Same product: Churchcrm Churchcrm
CVE-2026-39340Same product: Churchcrm Churchcrm
CVE-2026-39342Same product: Churchcrm Churchcrm
CVE-2026-39325Same product: Churchcrm Churchcrm

Affected Assets

churchcrm
churchcrm
≤ 5.13.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the newCountName input parameter to prevent time-based blind SQL injection in the EditEventTypes functionality.

prevent

Mandates identification, reporting, and correction of the specific SQL injection flaw in ChurchCRM 5.13.0 and prior versions.

detect

Vulnerability scanning would identify the time-based blind SQL injection vulnerability in the affected ChurchCRM application.

References