CVE-2025-62521

EIP tracks 1 public exploit for CVE-2025-62521. PoCs published by LucasCsmt, including Metasploit module exploits/multi/http/churchcrm_install_unauth_rce.

AI-analyzed exploit summary This Metasploit module exploits an unauthenticated RCE vulnerability in ChurchCRM 6.8.0 and earlier by injecting malicious PHP code into the installation process via the 'setup' page. It supports multiple payload types (Linux command stager, PHP in-memory, and PHP fetch) and executes arbitrary commands on the target server.

ChurchCRM is an open-source church management system. Prior to version 5.21.0, a pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to complete server compromise. The vulnerability exists in `setup/routes/setup.php` where user input from the setup form is directly concatenated into a PHP configuration template without any validation or sanitization. Any parameter in the setup form can be used to inject PHP code that gets written to `Include/Config.php`, which is then executed on every page load. This is more severe than typical authenticated RCE vulnerabilities because it requires no credentials and affects the installation process that administrators must complete. Version 5.21.0 patches the issue.