CVE-2025-68109

CRITICAL

ChurchCRM < 6.5.3 - Remote Code Execution via Database Restore File Upload

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-68109. PoCs published by LucasCsmt, including Metasploit module exploits/multi/http/churchcrm_db_restore_rce.

AI-analyzed exploit summary This Metasploit module exploits a Remote Code Execution (RCE) vulnerability in ChurchCRM versions prior to 6.2.0 by leveraging the Database Restore functionality. It allows an authenticated admin user to upload a malicious backup file and bypass upload restrictions via a crafted .htaccess file, leading to PHP code execution.

Description

ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an attacker can upload a web shell file and subsequently upload a .htaccess file to enable direct access to it. Once accessed, the uploaded web shell allows remote code execution (RCE) on the server. Version 6.5.3 fixes the issue.

Exploits (1)

metasploit WORKING POC NORMAL

by LucasCsmt · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/churchcrm_db_restore_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits a Remote Code Execution (RCE) vulnerability in ChurchCRM versions prior to 6.2.0 by leveraging the Database Restore functionality. It allows an authenticated admin user to upload a malicious backup file and bypass upload restrictions via a crafted .htaccess file, leading to PHP code execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: ChurchCRM < 6.2.0

Auth required

Prerequisites: Authenticated admin credentials · Access to the Database Restore functionality

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 16, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Vendor Advisory x_refsource_confirm

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-pqm7-g8px-9r77

Scores

CVSS v3 9.1

EPSS 0.2363

EPSS Percentile 96.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-552 CWE-915 CWE-78 CWE-494 CWE-434

Status published

Products (1)

churchcrm/churchcrm < 6.5.3

Published Dec 17, 2025

Tracked Since Feb 18, 2026