Cyber Resilience

CVE-2025-11529

MediumPublic PoC

Published: 09 October 2025

Published
09 October 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0016 36.9th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-11529 is a medium-severity Improper Authentication (CWE-287) vulnerability in Churchcrm Churchcrm. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-8 (Identification and Authentication (Non-organizational Users)).

Deeper analysis

CVE-2025-11529 is a missing authentication vulnerability affecting ChurchCRM versions up to 5.18.0. The flaw resides in the AuthMiddleware function within the file src/ChurchCRM/Slim/Middleware/AuthMiddleware.php, part of the API Endpoint component. This issue, classified under CWE-287 (Improper Authentication) and CWE-306 (Missing Authentication for Critical Function), allows manipulation that bypasses required authentication checks.

Remote attackers require no privileges (PR:N), can exploit it over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N), achieving low impacts on confidentiality, integrity, and availability (C:L/I:L/A:L) under CVSS 3.1 scoring of 7.3. Unauthenticated adversaries can thus access protected API endpoints, potentially leading to unauthorized data exposure, modification, or disruption within ChurchCRM instances.

Mitigation involves applying the patch commit 3a1cffd2aea63d884025949cfbcfd274d06216a4, available via the ChurchCRM GitHub repository (e.g., pull request #7376). Advisories from sources like uartu0's GitHub advisory and VulDB recommend immediate patching, as a public exploit has been released and may enable active attacks.

EU & UK References

Vulnerability details

A security flaw has been discovered in ChurchCRM up to 5.18.0. This impacts the function AuthMiddleware of the file src/ChurchCRM/Slim/Middleware/AuthMiddleware.php of the component API Endpoint. The manipulation results in missing authentication. The attack can be executed remotely. The exploit has…

more

been released to the public and may be used for attacks. The patch is identified as 3a1cffd2aea63d884025949cfbcfd274d06216a4. A patch should be applied to remediate this issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a missing authentication flaw in a public-facing web application's API endpoint (ChurchCRM), enabling remote attackers to bypass authentication and access protected functionality, directly mapping to exploitation of public-facing applications.

CVEs Like This One

CVE-2026-39339Same product: Churchcrm Churchcrm
CVE-2026-39334Same product: Churchcrm Churchcrm
CVE-2026-39326Same product: Churchcrm Churchcrm
CVE-2026-39327Same product: Churchcrm Churchcrm
CVE-2026-39341Same product: Churchcrm Churchcrm
CVE-2026-39337Same product: Churchcrm Churchcrm
CVE-2025-62521Same product: Churchcrm Churchcrm
CVE-2026-39330Same product: Churchcrm Churchcrm
CVE-2026-39318Same product: Churchcrm Churchcrm
CVE-2026-39342Same product: Churchcrm Churchcrm

Affected Assets

churchcrm
churchcrm
≤ 5.19.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication decisions in AuthMiddleware before permitting access to protected API endpoints, blocking the missing-auth bypass in CVE-2025-11529.

prevent

Requires identification and authentication of non-organizational users before granting access to the ChurchCRM API, directly closing the CWE-287/CWE-306 flaw.

prevent

Limits privileges on API functions so that even if authentication is bypassed, the impact of unauthorized access remains constrained.

References