CVE-2025-62521 is a critical vulnerability affecting ChurchCRM, an open-source church management system, in versions prior to 5.21.0. The vulnerability arises from improper control of code generation (CWE-94) during the setup wizard process. Specifically, the setup/routes/setup.php script directly concatenates user-supplied input from the setup form into a PHP configuration template without any validation or sanitization. This allows an unauthenticated attacker to inject arbitrary PHP code into the Include/Config.php file. Since this configuration file is executed on every page load, the injected code results in remote code execution (RCE) with the privileges of the web server user. The attack vector requires no authentication or user interaction, making it exceptionally dangerous. The vulnerability affects the initial installation phase, a process that administrators must complete, thus increasing the risk of exploitation in fresh deployments or re-installations. The vulnerability has a CVSS v3.1 score of 10.0, reflecting its criticality with network attack vector, no required privileges, no user interaction, and complete impact on confidentiality, integrity, and availability. Although no known exploits are reported in the wild yet, the ease of exploitation and severity warrant immediate attention. The issue is resolved in ChurchCRM version 5.21.0, which implements proper input validation and sanitization to prevent code injection during setup.

For European organizations using ChurchCRM, especially religious institutions and affiliated non-profits, this vulnerability poses a severe risk. Exploitation leads to full server compromise, allowing attackers to execute arbitrary code, steal sensitive data, manipulate records, or deploy further malware. Given the pre-authentication nature, attackers can compromise systems before administrators complete setup, potentially establishing persistent backdoors. This can disrupt organizational operations, damage reputation, and lead to data breaches involving personal and financial information of members. The impact extends to availability, as attackers could deface or disable the CRM system. Since ChurchCRM is open-source and likely deployed in small to medium-sized organizations with limited cybersecurity resources, the risk of exploitation may be higher. Additionally, the vulnerability could be leveraged as a foothold in broader supply chain or sector-specific attacks targeting faith-based organizations in Europe.

European organizations should immediately upgrade ChurchCRM installations to version 5.21.0 or later to apply the official patch. Until upgrade, restrict access to the setup wizard by network segmentation or firewall rules, allowing only trusted administrators to reach the installation interface. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious input patterns targeting the setup form. Conduct installation in isolated, secure environments to prevent unauthorized access during setup. Monitor logs for unusual activity related to setup routes and configuration file modifications. Educate administrators to verify the integrity of Include/Config.php after installation and before going live. Consider deploying runtime application self-protection (RASP) solutions to detect and prevent code injection attempts. Finally, maintain regular backups of configuration and data to enable recovery in case of compromise.