CVE-2025-62521
Published: 17 December 2025
Summary
CVE-2025-62521 is a critical-severity Code Injection (CWE-94) vulnerability in Churchcrm Churchcrm. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the lack of validation and sanitization of user input from the setup form, preventing arbitrary PHP code injection into the configuration file.
Ensures timely patching to version 5.21.0, which remediates the code injection flaw in the setup wizard.
Monitors the integrity of Include/Config.php to detect unauthorized modifications from injected PHP code.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Pre-authentication RCE in a public-facing web application (ChurchCRM setup wizard) directly maps to T1190: Exploit Public-Facing Application.
NVD Description
ChurchCRM is an open-source church management system. Prior to version 5.21.0, a pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to complete server compromise. The…
more
vulnerability exists in `setup/routes/setup.php` where user input from the setup form is directly concatenated into a PHP configuration template without any validation or sanitization. Any parameter in the setup form can be used to inject PHP code that gets written to `Include/Config.php`, which is then executed on every page load. This is more severe than typical authenticated RCE vulnerabilities because it requires no credentials and affects the installation process that administrators must complete. Version 5.21.0 patches the issue.
Deeper analysisAI
CVE-2025-62521 is a pre-authentication remote code execution vulnerability affecting ChurchCRM, an open-source church management system, in versions prior to 5.21.0. The flaw resides in the setup wizard at `setup/routes/setup.php`, where user input from the setup form is directly concatenated into a PHP configuration template without validation or sanitization. This allows arbitrary PHP code injection into `Include/Config.php`, which is subsequently executed on every page load, earning a maximum CVSS v3.1 score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) and mapping to CWE-94 (Code Injection).
Unauthenticated attackers can exploit this during the initial installation process, which administrators must complete without credentials. By submitting malicious PHP code in any setup form parameter, attackers achieve full server compromise, as the injected code persists and executes persistently across the application.
The GitHub Security Advisory (GHSA-m8jq-j3p9-2xf3) confirms that ChurchCRM version 5.21.0 addresses the issue with a patch, recommending immediate upgrades for all prior installations.
Details
- CWE(s)