CVE-2025-68109
Published: 17 December 2025
Summary
CVE-2025-68109 is a critical-severity OS Command Injection (CWE-78) vulnerability in Churchcrm Churchcrm. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates unrestricted file upload vulnerability by requiring validation of file content and extensions in the Database Restore functionality to prevent web shell uploads.
Enforces restrictions on file types and inputs at the upload interface, blocking malicious files like web shells and .htaccess before they can be processed.
Requires timely identification, reporting, and correction of flaws such as the lack of upload validation, enabling patching to version 6.5.3 or later.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unrestricted file upload vulnerability in public-facing web application (ChurchCRM) enables exploitation of public-facing application (T1190), privilege escalation via RCE (T1068), and deployment/execution of web shells (T1505.003).
NVD Description
ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an attacker can upload a web shell file and subsequently…
more
upload a .htaccess file to enable direct access to it. Once accessed, the uploaded web shell allows remote code execution (RCE) on the server. Version 6.5.3 fixes the issue.
Deeper analysisAI
CVE-2025-68109 affects ChurchCRM, an open-source church management system, in versions prior to 6.5.3. The vulnerability resides in the Database Restore functionality, which fails to validate the content or file extension of uploaded files. This flaw enables attackers to upload malicious files, such as a web shell, and a supporting .htaccess file to bypass restrictions and gain direct access, ultimately leading to remote code execution (RCE) on the server. The issue is rated with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) and is associated with CWEs including CWE-78 (OS Command Injection), CWE-434 (Unrestricted Upload), CWE-494 (Download of Code Without Integrity Check), CWE-552 (Files or Directories Accessible to External Parties), and CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes).
Exploitation requires high privileges (PR:H), such as administrative access within the ChurchCRM application, accessible over the network with low complexity and no user interaction. A privileged attacker can leverage the Database Restore feature to upload a web shell file, followed by a .htaccess file to enable its execution via direct web access. Successful exploitation grants RCE, allowing full compromise of the server with high confidentiality, integrity, and availability impacts, particularly due to the changed scope (S:C).
The GitHub Security Advisory (GHSA-pqm7-g8px-9r77) confirms that ChurchCRM version 6.5.3 addresses the vulnerability by implementing proper validation of uploaded files in the Database Restore functionality. Security practitioners should upgrade to version 6.5.3 or later and review access controls for privileged users.
Details
- CWE(s)