CVE-2025-11529
Published: 09 October 2025
Summary
CVE-2025-11529 is a high-severity Improper Authentication (CWE-287) vulnerability in Churchcrm Churchcrm. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for logical access to API endpoints, directly preventing unauthorized access due to the missing authentication in AuthMiddleware.
Requires timely remediation of the specific flaw via the patch commit 3a1cffd2aea63d884025949cfbcfd274d06216a4, eliminating the missing authentication vulnerability.
Explicitly defines and restricts actions permitted without identification or authentication, mitigating bypass of critical API functions classified under CWE-306.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a missing authentication flaw in a public-facing web application's API endpoint (ChurchCRM), enabling remote attackers to bypass authentication and access protected functionality, directly mapping to exploitation of public-facing applications.
NVD Description
A security flaw has been discovered in ChurchCRM up to 5.18.0. This impacts the function AuthMiddleware of the file src/ChurchCRM/Slim/Middleware/AuthMiddleware.php of the component API Endpoint. The manipulation results in missing authentication. The attack can be executed remotely. The exploit has…
more
been released to the public and may be used for attacks. The patch is identified as 3a1cffd2aea63d884025949cfbcfd274d06216a4. A patch should be applied to remediate this issue.
Deeper analysisAI
CVE-2025-11529 is a missing authentication vulnerability affecting ChurchCRM versions up to 5.18.0. The flaw resides in the AuthMiddleware function within the file src/ChurchCRM/Slim/Middleware/AuthMiddleware.php, part of the API Endpoint component. This issue, classified under CWE-287 (Improper Authentication) and CWE-306 (Missing Authentication for Critical Function), allows manipulation that bypasses required authentication checks.
Remote attackers require no privileges (PR:N), can exploit it over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N), achieving low impacts on confidentiality, integrity, and availability (C:L/I:L/A:L) under CVSS 3.1 scoring of 7.3. Unauthenticated adversaries can thus access protected API endpoints, potentially leading to unauthorized data exposure, modification, or disruption within ChurchCRM instances.
Mitigation involves applying the patch commit 3a1cffd2aea63d884025949cfbcfd274d06216a4, available via the ChurchCRM GitHub repository (e.g., pull request #7376). Advisories from sources like uartu0's GitHub advisory and VulDB recommend immediate patching, as a public exploit has been released and may enable active attacks.
Details
- CWE(s)