CVE-2025-68109 is an OS command injection vulnerability identified in ChurchCRM, an open-source church management system. The flaw exists in versions prior to 6.5.3 within the Database Restore feature, which fails to properly validate the content and file extensions of uploaded files. This lack of validation allows an authenticated attacker to upload arbitrary files, including a malicious web shell. Subsequently, the attacker can upload a .htaccess file to configure the web server to allow direct access to the web shell. Once accessed, the web shell provides remote code execution (RCE) capabilities on the underlying server, enabling the attacker to execute arbitrary commands with the privileges of the web server process. The vulnerability is classified under multiple CWEs including CWE-78 (OS Command Injection), CWE-434 (Unrestricted Upload of File with Dangerous Type), CWE-494 (Download of Code Without Integrity Check), CWE-552 (Files or Directories Accessible to External Parties), and CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes). The CVSS v3.1 base score is 9.1, indicating critical severity, with attack vector being network-based, low attack complexity, requiring high privileges but no user interaction, and impacting confidentiality, integrity, and availability with scope change. No public exploits have been reported yet, but the vulnerability presents a significant risk due to the potential for full server compromise. Version 6.5.3 of ChurchCRM addresses this issue by implementing proper validation and restrictions on file uploads in the Database Restore functionality.

For European organizations using ChurchCRM, this vulnerability poses a critical risk. Successful exploitation can lead to full remote code execution on servers hosting the CRM, potentially exposing sensitive personal data of church members and staff, disrupting church operations, and enabling further lateral movement within the network. The compromise of such systems could also lead to reputational damage and legal consequences under GDPR due to unauthorized access to personal data. Given that the vulnerability requires authenticated access, insider threats or compromised credentials could be leveraged by attackers. The ability to upload web shells and execute arbitrary commands could allow attackers to deploy ransomware, steal data, or establish persistent backdoors. The impact extends beyond individual churches to any affiliated organizations relying on ChurchCRM for member management and communication, making it a significant concern for religious institutions across Europe.

Immediate mitigation involves upgrading ChurchCRM installations to version 6.5.3 or later, which contains the necessary patches to validate file uploads properly. Organizations should enforce strict access controls to limit who can perform database restores and upload files, ideally restricting this functionality to trusted administrators only. Implementing web application firewalls (WAFs) with rules to detect and block web shell signatures and suspicious file uploads can provide additional protection. Regularly audit file upload directories for unauthorized files such as .htaccess or web shells. Employ network segmentation to isolate CRM servers from critical infrastructure and sensitive data stores. Monitoring server logs and file system changes can help detect early signs of exploitation. Additionally, enforcing multi-factor authentication (MFA) for administrative access reduces the risk of credential compromise. Backup strategies should be reviewed to ensure quick recovery in case of compromise. Finally, educating administrators about the risks of improper file uploads and maintaining up-to-date software versions is essential.